openssl/sme8/openssl-fips-0.9.8e-cve-2011-4109.patch

diff -up openssl-fips-0.9.8e/CHANGES.doublefree openssl-fips-0.9.8e/CHANGES
diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c
--- openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree      2004-03-25 14:45:58.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c 2012-01-16 10:37:18.480935735 +0100
@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF
 
 static void policy_map_free(X509_POLICY_REF *map)
        {
-       if (map->subjectDomainPolicy)
-               ASN1_OBJECT_free(map->subjectDomainPolicy);
        OPENSSL_free(map);
        }
 
@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, PO
        {
        POLICY_MAPPING *map;
        X509_POLICY_REF *ref = NULL;
+       ASN1_OBJECT *subjectDomainPolicyRef;
        X509_POLICY_DATA *data;
        X509_POLICY_CACHE *cache = x->policy_cache;
        int i;
@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, PO
                if (!sk_ASN1_OBJECT_push(data->expected_policy_set, 
                                                map->subjectDomainPolicy))
                        goto bad_mapping;
+                /* map->subjectDomainPolicy will be freed when
+                 * cache->data is freed. Set it to NULL to avoid double-free. */
+                subjectDomainPolicyRef = map->subjectDomainPolicy;
+                map->subjectDomainPolicy = NULL;
                
                ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
                if (!ref)
                        goto bad_mapping;
 
-               ref->subjectDomainPolicy = map->subjectDomainPolicy;
-               map->subjectDomainPolicy = NULL;
+               ref->subjectDomainPolicy = subjectDomainPolicyRef;
                ref->data = data;
 
                if (!sk_X509_POLICY_REF_push(cache->maps, ref))
diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c
--- openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree     2006-11-27 14:36:54.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c        2012-01-16 10:37:18.481935777 +0100
@@ -610,6 +610,10 @@ int X509_policy_check(X509_POLICY_TREE *
                case 2:
                return 1;
 
+                /* Some internal error */
+               case -1:
+               return -1;
+
                /* Some internal error */
                case 0:
                return 0;
@@ -689,4 +693,3 @@ int X509_policy_check(X509_POLICY_TREE *
        return 0;
 
        }
-
1	diff -up openssl-fips-0.9.8e/CHANGES.doublefree openssl-fips-0.9.8e/CHANGES
2	diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c
3	--- openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree 2004-03-25 14:45:58.000000000 +0100
4	+++ openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c 2012-01-16 10:37:18.480935735 +0100
5	@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF
6
7	static void policy_map_free(X509_POLICY_REF *map)
8	{
9	- if (map->subjectDomainPolicy)
10	- ASN1_OBJECT_free(map->subjectDomainPolicy);
11	OPENSSL_free(map);
12	}
13
14	@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, PO
15	{
16	POLICY_MAPPING *map;
17	X509_POLICY_REF *ref = NULL;
18	+ ASN1_OBJECT *subjectDomainPolicyRef;
19	X509_POLICY_DATA *data;
20	X509_POLICY_CACHE *cache = x->policy_cache;
21	int i;
22	@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, PO
23	if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
24	map->subjectDomainPolicy))
25	goto bad_mapping;
26	+ /* map->subjectDomainPolicy will be freed when
27	+ * cache->data is freed. Set it to NULL to avoid double-free. */
28	+ subjectDomainPolicyRef = map->subjectDomainPolicy;
29	+ map->subjectDomainPolicy = NULL;
30
31	ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
32	if (!ref)
33	goto bad_mapping;
34
35	- ref->subjectDomainPolicy = map->subjectDomainPolicy;
36	- map->subjectDomainPolicy = NULL;
37	+ ref->subjectDomainPolicy = subjectDomainPolicyRef;
38	ref->data = data;
39
40	if (!sk_X509_POLICY_REF_push(cache->maps, ref))
41	diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c
42	--- openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree 2006-11-27 14:36:54.000000000 +0100
43	+++ openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c 2012-01-16 10:37:18.481935777 +0100
44	@@ -610,6 +610,10 @@ int X509_policy_check(X509_POLICY_TREE *
45	case 2:
46	return 1;
47
48	+ /* Some internal error */
49	+ case -1:
50	+ return -1;
51	+
52	/* Some internal error */
53	case 0:
54	return 0;
55	@@ -689,4 +693,3 @@ int X509_policy_check(X509_POLICY_TREE *
56	return 0;
57
58	}
59	-