[xmlsec] Crash in x509.c when flag XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT is set

Frank Gross fg at 4js.com
Tue Jun 10 07:33:48 PDT 2008


Hi,

  Find attached a patch to fix a crash in openssl/x509.c file when 
XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT is set.
Actually when the error message is created it uses the 'subject' 
variable but as the variable has been released before, it leads to a crash.

Frank

-------------- next part --------------
Index: x509.c
===================================================================
--- x509.c	(revision 38664)
+++ x509.c	(working copy)
@@ -1084,7 +1245,6 @@
 
     cert = xmlSecOpenSSLX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
     if(cert == NULL){
-	xmlFree(subject);
 
 	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1093,8 +1253,11 @@
 			XMLSEC_ERRORS_R_CERT_NOT_FOUND,
 			"subject=%s", 
 			xmlSecErrorsSafeString(subject));
+    	xmlFree(subject);
 	    return(-1);
 	}
+	xmlFree(subject);
+	
 	return(0);
     }
 
@@ -1257,8 +1420,6 @@
 
     cert = xmlSecOpenSSLX509StoreFindCert(x509Store, NULL, issuerName, issuerSerial, NULL, keyInfoCtx);
     if(cert == NULL){
-	xmlFree(issuerSerial);
-	xmlFree(issuerName);
 
 	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CERT) != 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1268,8 +1429,12 @@
 			"issuerName=%s;issuerSerial=%s",
 		        xmlSecErrorsSafeString(issuerName), 
 			xmlSecErrorsSafeString(issuerSerial));
+    	xmlFree(issuerSerial);
+	    xmlFree(issuerName);
 	    return(-1);
 	}
+	xmlFree(issuerSerial);
+	xmlFree(issuerName);
 	return(0);    
     }
 


More information about the xmlsec mailing list