From 55554b79a9ba779702456a16b4d92c77d3232638 Mon Sep 17 00:00:00 2001
From: Chris Conlon <chris@wolfssl.com>
Date: Wed, 14 Dec 2016 09:15:45 -0700
Subject: [PATCH] PKCS#7: fix use after free in wc_DecodeKtri

---
 wolfcrypt/src/pkcs7.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index bd459e330..65351f09f 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -2600,13 +2600,12 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
     }
     wc_FreeRsaKey(privKey);
 
-#ifdef WOLFSSL_SMALL_STACK
-    XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-    XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
     if (keySz <= 0 || outKey == NULL) {
         ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ);
+#ifdef WOLFSSL_SMALL_STACK
+        XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
         return keySz;
     } else {
         *decryptedKeySz = keySz;
@@ -2614,6 +2613,11 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz,
         ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ);
     }
 
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
     return 0;
 }