[BUG] A double free bug in crypto/ts/ts_rsp_verify.c #14914
Description
File: crypto/ts/ts_rsp_verify.c
Bug Function: int_ts_RESP_verify_token
Version: Git-master (2021-4-18)
Description:
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.
Code Description:
static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
PKCS7 *token, TS_TST_INFO *tst_info)
{
...
if ((flags & TS_VFY_DATA)
299: && (!ts_compute_imprint(ctx->data, tst_info,
&md_alg, &imprint, &imprint_len)
|| !ts_check_imprints(md_alg, imprint, imprint_len, tst_info)))
goto err;
...
err:
X509_free(signer);
320: X509_ALGOR_free(md_alg); // md_alg is freed in the second time !
OPENSSL_free(imprint);
return ret;
}
static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
X509_ALGOR **md_alg,
unsigned char **imprint, unsigned *imprint_len)
{
406: if ((*md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL) // md_alg is allocated.
goto err;
md_ctx = EVP_MD_CTX_new();
if (md_ctx == NULL) {
ERR_raise(ERR_LIB_TS, ERR_R_MALLOC_FAILURE);
goto err;
}
err:
...
439: X509_ALGOR_free(*md_alg); // md_alg is freed in the first time!
...
return 0;
}