On 22-11-08 18:48:44, Tobias Heider wrote: > nm.a is initialized to NULL until it gets alloced by x509_name_ex_new(). > The following 'goto err' should free nm.a before returning. > > ok?
Unless I'm missing something, I do not believe this is correct - nm is a union and nm.a is the same pointer as nm.x - nm.x is already freed via X509_NAME_free(), which would make this a double free. > Index: asn1/x_name.c > =================================================================== > RCS file: /cvs/src/lib/libcrypto/asn1/x_name.c,v > retrieving revision 1.37 > diff -u -p -r1.37 x_name.c > --- asn1/x_name.c 25 Dec 2021 13:17:48 -0000 1.37 > +++ asn1/x_name.c 8 Nov 2022 17:45:08 -0000 > @@ -340,6 +340,7 @@ x509_name_ex_d2i(ASN1_VALUE **val, const > err: > if (nm.x != NULL) > X509_NAME_free(nm.x); > + free(nm.a); > ASN1error(ERR_R_NESTED_ASN1_ERROR); > return 0; > }
