[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)
Bill Parker via RT
rt at openssl.org
Mon Mar 7 17:53:26 UTC 2016
Hello All,
In reviewing code in directory 'engines', file 'e_aep.c', there is a
call to function 'bn_expand()', but it is not checked for a return
value of NULL. However, a member of the variable 'bn' (bn->d) are used in
memset()/memcpy() calls, but if 'bn' is NULL, a segmentation fault/violation
will occur.
The patch file below checks for a NULL return from 'bn_expand()', but
I was not sure what should be returned from here (so I kludged something
to fit):
--- e_aep.c.orig 2016-03-06 10:47:23.113646348 -0800
+++ e_aep.c 2016-03-06 10:52:27.991394742 -0800
@@ -1137,7 +1137,9 @@
/*
* Expand the result bn so that it can hold our big num. Size is in
bits
*/
- bn_expand(bn, (int)(BigNumSize << 3));
+ if (!bn_expand(bn, (int)(BigNumSize << 3)) == NULL)
+ /* what should we do here, a new error code, etc? */
+ return 117; /* bn_expand could return NULL, could it not? */
# ifdef SIXTY_FOUR_BIT_LONG
bn->top = BigNumSize >> 3;
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: e_aep.c.patch
Type: application/octet-stream
Size: 501 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/fc5d0a88/attachment.obj>
More information about the openssl-dev
mailing list