Fix double-free in DSA code (CVE-2016-0705) Bug: 27449871 Change-Id: I6505daa7e1ad9d594b958489f381ad48dcb16f12

commit: 68b079eb86cf90def7a1248a360819ea6066446e [log] [tgz]
author: Parth Dixit <parthd@codeaurora.org> Mon Aug 29 02:17:38 2016 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Thu Sep 08 04:00:42 2016 -0700
tree: 66a56b72447a56a3b63e6c75ab55c73cf675da7b
parent: eb92de4f4fb49e519faa7faf395930963dc8f052 [diff]
diff --git a/lib/openssl/crypto/dsa/dsa_ameth.c b/lib/openssl/crypto/dsa/dsa_ameth.c
index 6413aae..af74044 100644
--- a/lib/openssl/crypto/dsa/dsa_ameth.c
+++ b/lib/openssl/crypto/dsa/dsa_ameth.c

@@ -200,6 +200,7 @@
 
 	STACK_OF(ASN1_TYPE) *ndsa = NULL;
 	DSA *dsa = NULL;
+	int ret =0;
 
 	if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
 		return 0;
@@ -281,23 +282,21 @@
 		}
 
 	EVP_PKEY_assign_DSA(pkey, dsa);
+	ret = 1;
+	goto done;
+
+	decerr:
+	DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
+	dsaerr:
+	DSA_free(dsa);
+	done:
 	BN_CTX_free (ctx);
 	if(ndsa)
 		sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
 	else
 		ASN1_INTEGER_free(privkey);
 
-	return 1;
-
-	decerr:
-	DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
-	dsaerr:
-	BN_CTX_free (ctx);
-	if (privkey)
-		ASN1_INTEGER_free(privkey);
-	sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-	DSA_free(dsa);
-	return 0;
+	return ret;
 	}
 
 static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
commit	68b079eb86cf90def7a1248a360819ea6066446e	[log] [tgz]
author	Parth Dixit <parthd@codeaurora.org>	Mon Aug 29 02:17:38 2016 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Thu Sep 08 04:00:42 2016 -0700
tree	66a56b72447a56a3b63e6c75ab55c73cf675da7b
parent	eb92de4f4fb49e519faa7faf395930963dc8f052 [diff]