Do not use OPENSSL_free() to free OBJ_dup() return value

[BianPan]

File: crypto/objects/obj_dat.c
Function: OBJ_add_object()

Details: OBJ_dup() allocates memory with ASN1_OBJECT_new(), and the returned memory should be freed with ASN1_OBJECT_free(). However, In OBJ_add_object(), the return value of OBJ_dup() (called at line 183) is mistakenly passed to OPENSSL_free() (at line 216), which may result in a memory leak bug.

For your convenience, I paste related bugs as follows:

174 int OBJ_add_object(const ASN1_OBJECT *obj)
175 {
176 ASN1_OBJECT *o;
177 ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop;
178 int i;
179
180 if (added == NULL)
181 if (!init_added())
182 return 0;
183 if ((o = OBJ_dup(obj)) == NULL)
184 goto err;
185 if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
186 goto err2;
187 if ((o->length != 0) && (obj->data != NULL))
188 if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
189 goto err2;
190 if (o->sn != NULL)
191 if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
192 goto err2;
193 if (o->ln != NULL)
194 if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(ao[0]))) == NULL)
195 goto err2;
196
197 for (i = ADDED_DATA; i <= ADDED_NID; i++) {
198 if (ao[i] != NULL) {
199 ao[i]->type = i;
200 ao[i]->obj = o;
201 aop = lh_ADDED_OBJ_insert(added, ao[i]);
202 / memory leak, but should not normally matter */
203 OPENSSL_free(aop);
204 }
205 }
206 o->flags &=
207 ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
208 ASN1_OBJECT_FLAG_DYNAMIC_DATA);
209
210 return o->nid;
211 err2:
212 OBJerr(OBJ_F_OBJ_ADD_OBJECT, ERR_R_MALLOC_FAILURE);
213 err:
214 for (i = ADDED_DATA; i <= ADDED_NID; i++)
215 OPENSSL_free(ao[i]);
216 OPENSSL_free(o);
217 return NID_undef;
218 }

Thanks!

[mattcaswell]

Thanks for the report. Now fixed in git.