diff -up openssl-fips-0.9.8e/CHANGES.doublefree openssl-fips-0.9.8e/CHANGES diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c --- openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c.doublefree 2004-03-25 14:45:58.000000000 +0100 +++ openssl-fips-0.9.8e/crypto/x509v3/pcy_map.c 2012-01-16 10:37:18.480935735 +0100 @@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF static void policy_map_free(X509_POLICY_REF *map) { - if (map->subjectDomainPolicy) - ASN1_OBJECT_free(map->subjectDomainPolicy); OPENSSL_free(map); } @@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, PO { POLICY_MAPPING *map; X509_POLICY_REF *ref = NULL; + ASN1_OBJECT *subjectDomainPolicyRef; X509_POLICY_DATA *data; X509_POLICY_CACHE *cache = x->policy_cache; int i; @@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, PO if (!sk_ASN1_OBJECT_push(data->expected_policy_set, map->subjectDomainPolicy)) goto bad_mapping; + /* map->subjectDomainPolicy will be freed when + * cache->data is freed. Set it to NULL to avoid double-free. */ + subjectDomainPolicyRef = map->subjectDomainPolicy; + map->subjectDomainPolicy = NULL; ref = OPENSSL_malloc(sizeof(X509_POLICY_REF)); if (!ref) goto bad_mapping; - ref->subjectDomainPolicy = map->subjectDomainPolicy; - map->subjectDomainPolicy = NULL; + ref->subjectDomainPolicy = subjectDomainPolicyRef; ref->data = data; if (!sk_X509_POLICY_REF_push(cache->maps, ref)) diff -up openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c --- openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c.doublefree 2006-11-27 14:36:54.000000000 +0100 +++ openssl-fips-0.9.8e/crypto/x509v3/pcy_tree.c 2012-01-16 10:37:18.481935777 +0100 @@ -610,6 +610,10 @@ int X509_policy_check(X509_POLICY_TREE * case 2: return 1; + /* Some internal error */ + case -1: + return -1; + /* Some internal error */ case 0: return 0; @@ -689,4 +693,3 @@ int X509_policy_check(X509_POLICY_TREE * return 0; } -