From e1fb0a70cdc84a8465e2c6cf98f4ed099148c034 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Tue, 1 Sep 2015 21:47:12 -0400
Subject: Better handling of verify param id peername field

Initialize pointers in param id by the book (explicit NULL assignment,
rather than just memset 0).

In x509_verify_param_zero() set peername to NULL after freeing it.

In x509_vfy.c's internal check_hosts(), avoid potential leak of
possibly already non-NULL peername.  This is only set when a check
succeeds, so don't need to do this repeatedly in the loop.

Reviewed-by: Richard Levitte <levitte@openssl.org>

(cherry picked from commit a0724ef1c9b9e2090bdd96b784f492b6a3952957)
---
 crypto/x509/x509_vfy.c |  4 ++++
 crypto/x509/x509_vpm.c | 15 +++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7bac197..ab94948 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -753,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
     int n = sk_OPENSSL_STRING_num(id->hosts);
     char *name;
 
+    if (id->peername != NULL) {
+        OPENSSL_free(id->peername);
+        id->peername = NULL;
+    }
     for (i = 0; i < n; ++i) {
         name = sk_OPENSSL_STRING_value(id->hosts, i);
         if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 1ea0c69..592a8a5 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
     }
     if (paramid->peername)
         OPENSSL_free(paramid->peername);
+    paramid->peername = NULL;
     if (paramid->email) {
         OPENSSL_free(paramid->email);
         paramid->email = NULL;
@@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
         paramid->ip = NULL;
         paramid->iplen = 0;
     }
-
 }
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
@@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
     param = OPENSSL_malloc(sizeof *param);
     if (!param)
         return NULL;
-    paramid = OPENSSL_malloc(sizeof *paramid);
+    memset(param, 0, sizeof(*param));
+
+    paramid = OPENSSL_malloc(sizeof(*paramid));
     if (!paramid) {
         OPENSSL_free(param);
         return NULL;
     }
-    memset(param, 0, sizeof *param);
-    memset(paramid, 0, sizeof *paramid);
+    memset(paramid, 0, sizeof(*paramid));
+    /* Exotic platforms may have non-zero bit representation of NULL */
+    paramid->hosts = NULL;
+    paramid->peername = NULL;
+    paramid->email = NULL;
+    paramid->ip = NULL;
+
     param->id = paramid;
     x509_verify_param_zero(param);
     return param;
-- 
1.7.12.1