[BUG] A double free bug in crypto/srp/srp_vfy.c

**File:** crypto/srp/srp_vfy.c
**Bug Function:** SRP_create_verifier_ex
**Version:** Git-master(2021-4-18)

**Description:**
In function `SRP_create_verifier_ex`, it calls `SRP_create_verifier_BN_ex(..., &v, ..) ` at line 653.
In the implementation of `SRP_create_verifier_BN_ex()`, `*verify` (which is the paremeter of `v`) is allocated a pointer via `BN_new()` at line 738.
And `*verify` is freed via `BN_clear_free()` at line 743, and return 0.
Then the execution continues up to `goto err` at line 655, and the freed `v` is freed again at line 687.

**Code Description:**
```
char *SRP_create_verifier_ex(...)
{
   ...
653: if (!SRP_create_verifier_BN_ex(user, pass, &s, &v, N_bn, g_bn, libctx,
                                   propq))
655:    goto err;
 err:
    ...
687:BN_clear_free(v);  // Freed in the second time !
    return result;
}


int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
                              BIGNUM **verifier, ...)
{
    int result = 0;
    ...
738:*verifier = BN_new();   // Allocated Here!
    if (*verifier == NULL)
        goto err;

    if (!BN_mod_exp(*verifier, g, x, N, bn_ctx)) {
743:    BN_clear_free(*verifier);   // Freed in the first time !
        goto err;
    }
 err:
    ...
    return result;   // return 0.
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] A double free bug in crypto/srp/srp_vfy.c #14913

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[BUG] A double free bug in crypto/srp/srp_vfy.c #14913

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions