[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Thu Mar 5 09:24:05 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via d6b4a41d100c2d3b401baf8edc34085ff610c5ba (commit)
from 9fdbaf3a322689a58381c724e4f3497320a69581 (commit)
- Log -----------------------------------------------------------------
commit d6b4a41d100c2d3b401baf8edc34085ff610c5ba
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 4 17:49:51 2015 +0000
Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(cherry picked from commit 918bb8652969fd53f0c390c1cd909265ed502c7e)
Conflicts:
crypto/bio/bss_dgram.c
-----------------------------------------------------------------------
Summary of changes:
apps/apps.c | 11 +++++++++++
apps/ca.c | 8 ++++++++
apps/cms.c | 4 ++++
apps/dgst.c | 5 +++++
apps/rsautl.c | 5 +++++
apps/s_cb.c | 5 +++++
apps/s_client.c | 5 +++++
apps/s_server.c | 20 +++++++++++++++++++-
apps/speed.c | 12 ++++++++++--
apps/srp.c | 8 ++++++++
apps/x509.c | 5 +++++
crypto/asn1/bio_ndef.c | 6 ++++++
crypto/bio/b_print.c | 8 ++++++++
crypto/bio/bss_dgram.c | 15 ++++++++++++++-
crypto/cms/cms_pwri.c | 2 ++
crypto/dh/dh_pmeth.c | 3 +++
crypto/dso/dso_vms.c | 3 ++-
crypto/objects/o_names.c | 15 +++++++++------
crypto/rand/rand_os2.c | 3 +++
crypto/threads/th-lock.c | 23 ++++++++++++++++++++++-
ssl/s3_pkt.c | 4 ++++
21 files changed, 158 insertions(+), 12 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index ef5d087..b0acbc7 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -574,6 +574,11 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
char *prompt = NULL;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
+ if(!prompt) {
+ BIO_printf(bio_err, "Out of memory\n");
+ UI_free(ui);
+ return 0;
+ }
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
@@ -583,6 +588,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
PW_MIN_LENGTH, bufsiz - 1);
if (ok >= 0 && verify) {
buff = (char *)OPENSSL_malloc(bufsiz);
+ if(!buff) {
+ BIO_printf(bio_err, "Out of memory\n");
+ UI_free(ui);
+ OPENSSL_free(prompt);
+ return 0;
+ }
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
PW_MIN_LENGTH, bufsiz - 1, buf);
}
diff --git a/apps/ca.c b/apps/ca.c
index f0a19cf..3215c56 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -563,10 +563,18 @@ int MAIN(int argc, char **argv)
#ifdef OPENSSL_SYS_VMS
len = strlen(s) + sizeof(CONFIG_FILE);
tofree = OPENSSL_malloc(len);
+ if(!tofree) {
+ BIO_printf(bio_err, "Out of memory\n");
+ goto err;
+ }
strcpy(tofree, s);
#else
len = strlen(s) + sizeof(CONFIG_FILE) + 1;
tofree = OPENSSL_malloc(len);
+ if(!tofree) {
+ BIO_printf(bio_err, "Out of memory\n");
+ goto err;
+ }
BUF_strlcpy(tofree, s, len);
BUF_strlcat(tofree, "/", len);
#endif
diff --git a/apps/cms.c b/apps/cms.c
index 2c8ada6..2c92253 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -463,6 +463,10 @@ int MAIN(int argc, char **argv)
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = OPENSSL_malloc(sizeof(cms_key_param));
+ if(!nparam) {
+ BIO_printf(bio_err, "Out of memory\n");
+ goto argerr;
+ }
nparam->idx = keyidx;
nparam->param = sk_OPENSSL_STRING_new_null();
nparam->next = NULL;
diff --git a/apps/dgst.c b/apps/dgst.c
index adb7a06..47c2f69 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -460,6 +460,11 @@ int MAIN(int argc, char **argv)
ERR_print_errors(bio_err);
goto end;
}
+ if (!sigbuf) {
+ BIO_printf(bio_err, "Out of memory\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
siglen = BIO_read(sigbio, sigbuf, siglen);
BIO_free(sigbio);
if (siglen <= 0) {
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 0030aca..d642f9a 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -268,6 +268,11 @@ int MAIN(int argc, char **argv)
rsa_in = OPENSSL_malloc(keysize * 2);
rsa_out = OPENSSL_malloc(keysize);
+ if (!rsa_in || !rsa_out) {
+ BIO_printf(bio_err, "Out of memory\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
/* Read the input data */
rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
diff --git a/apps/s_cb.c b/apps/s_cb.c
index d5756c0..f6e6bcd 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -456,8 +456,13 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared)
if (ncurves <= 0)
return 1;
curves = OPENSSL_malloc(ncurves * sizeof(int));
+ if(!curves) {
+ BIO_puts(out, "Malloc error getting supported curves\n");
+ return 0;
+ }
SSL_get1_curves(s, curves);
+
BIO_puts(out, "Supported Elliptic Curves: ");
for (i = 0; i < ncurves; i++) {
if (i)
diff --git a/apps/s_client.c b/apps/s_client.c
index 8212c9f..8fa2b73 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -560,6 +560,11 @@ static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
PW_CB_DATA cb_tmp;
int l;
+ if(!pass) {
+ BIO_printf(bio_err, "Malloc failure\n");
+ return NULL;
+ }
+
cb_tmp.password = (char *)srp_arg->srppassin;
cb_tmp.prompt_info = "SRP user";
if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
diff --git a/apps/s_server.c b/apps/s_server.c
index 5709546..655ada0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -696,6 +696,8 @@ static int ebcdic_new(BIO *bi)
EBCDIC_OUTBUFF *wbuf;
wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+ if (!wbuf)
+ return 0;
wbuf->alloced = 1024;
wbuf->buff[0] = '\0';
@@ -750,9 +752,11 @@ static int ebcdic_write(BIO *b, const char *in, int inl)
num = num + num; /* double the size */
if (num < inl)
num = inl;
- OPENSSL_free(wbuf);
wbuf =
(EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
+ if(!wbuf)
+ return 0;
+ OPENSSL_free(b->ptr);
wbuf->alloced = num;
wbuf->buff[0] = '\0';
@@ -3319,6 +3323,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
unsigned char *p;
sess = OPENSSL_malloc(sizeof(simple_ssl_session));
+ if(!sess) {
+ BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+ return 0;
+ }
SSL_SESSION_get_id(session, &sess->idlen);
sess->derlen = i2d_SSL_SESSION(session, NULL);
@@ -3326,6 +3334,16 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
sess->der = OPENSSL_malloc(sess->derlen);
+ if(!sess->id || !sess->der) {
+ BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+
+ if(sess->id)
+ OPENSSL_free(sess->id);
+ if(sess->der)
+ OPENSSL_free(sess->der);
+ OPENSSL_free(sess);
+ return 0;
+ }
p = sess->der;
i2d_SSL_SESSION(session, &p);
diff --git a/apps/speed.c b/apps/speed.c
index 7dcd354..7b1acc1 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2775,6 +2775,11 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
inp = OPENSSL_malloc(mblengths[num - 1]);
out = OPENSSL_malloc(mblengths[num - 1] + 1024);
+ if(!inp || !out) {
+ BIO_printf(bio_err,"Out of memory\n");
+ goto end;
+ }
+
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv);
@@ -2859,7 +2864,10 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
fprintf(stdout, "\n");
}
- OPENSSL_free(inp);
- OPENSSL_free(out);
+end:
+ if(inp)
+ OPENSSL_free(inp);
+ if(out)
+ OPENSSL_free(out);
}
#endif
diff --git a/apps/srp.c b/apps/srp.c
index 47b45fb..c679448 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -435,10 +435,18 @@ int MAIN(int argc, char **argv)
# ifdef OPENSSL_SYS_VMS
len = strlen(s) + sizeof(CONFIG_FILE);
tofree = OPENSSL_malloc(len);
+ if(!tofree) {
+ BIO_printf(bio_err, "Out of memory\n");
+ goto err;
+ }
strcpy(tofree, s);
# else
len = strlen(s) + sizeof(CONFIG_FILE) + 1;
tofree = OPENSSL_malloc(len);
+ if(!tofree) {
+ BIO_printf(bio_err, "Out of memory\n");
+ goto err;
+ }
BUF_strlcpy(tofree, s, len);
BUF_strlcat(tofree, "/", len);
# endif
diff --git a/apps/x509.c b/apps/x509.c
index d005c82..864a60d 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -829,6 +829,11 @@ int MAIN(int argc, char **argv)
z = i2d_X509(x, NULL);
m = OPENSSL_malloc(z);
+ if (!m) {
+ BIO_printf(bio_err, "Out of memory\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
d = (unsigned char *)m;
z = i2d_X509_NAME(X509_get_subject_name(x), &d);
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index 5817a2b..4a73ca9 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -162,6 +162,9 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
p = OPENSSL_malloc(derlen);
+ if(!p)
+ return 0;
+
ndef_aux->derbuf = p;
*pbuf = p;
derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
@@ -229,6 +232,9 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
p = OPENSSL_malloc(derlen);
+ if(!p)
+ return 0;
+
ndef_aux->derbuf = p;
*pbuf = p;
derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 5dc7630..f7940f2 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -713,6 +713,10 @@ doapr_outch(char **sbuffer,
if (*maxlen == 0)
*maxlen = 1024;
*buffer = OPENSSL_malloc(*maxlen);
+ if(!*buffer) {
+ /* Panic! Can't really do anything sensible. Just return */
+ return;
+ }
if (*currlen > 0) {
assert(*sbuffer != NULL);
memcpy(*buffer, *sbuffer, *currlen);
@@ -721,6 +725,10 @@ doapr_outch(char **sbuffer,
} else {
*maxlen += 1024;
*buffer = OPENSSL_realloc(*buffer, *maxlen);
+ if(!*buffer) {
+ /* Panic! Can't really do anything sensible. Just return */
+ return;
+ }
}
}
/* What to do if *buffer is NULL? */
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index fcbae5f..388d90d 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -1012,6 +1012,10 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
*/
sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
authchunks = OPENSSL_malloc(sockopt_len);
+ if(!authchunks) {
+ BIO_vfree(bio);
+ return (NULL);
+ }
memset(authchunks, 0, sizeof(sockopt_len));
ret =
getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks,
@@ -1347,6 +1351,10 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
optlen =
(socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
authchunks = OPENSSL_malloc(optlen);
+ if (!authchunks) {
+ BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_ERROR);
+ return -1;
+ }
memset(authchunks, 0, sizeof(optlen));
ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS,
authchunks, &optlen);
@@ -1413,10 +1421,15 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
* yet, we have to save it and send it as soon as the socket gets dry.
*/
if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) {
+ char *tmp;
data->saved_message.bio = b;
+ if(!(tmp = OPENSSL_malloc(inl))) {
+ BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_ERROR);
+ return -1;
+ }
if (data->saved_message.data)
OPENSSL_free(data->saved_message.data);
- data->saved_message.data = OPENSSL_malloc(inl);
+ data->saved_message.data = tmp;
memcpy(data->saved_message.data, in, inl);
data->saved_message.length = inl;
return inl;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index d93b14f..076b545 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -231,6 +231,8 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
return 0;
}
tmp = OPENSSL_malloc(inlen);
+ if(!tmp)
+ return 0;
/* setup IV by decrypting last two blocks */
EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
in + inlen - 2 * blocklen, blocklen * 2);
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index 494a887..b3a3147 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -462,6 +462,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
ret = 0;
Zlen = DH_size(dh);
Z = OPENSSL_malloc(Zlen);
+ if(!Z) {
+ goto err;
+ }
if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
goto err;
if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,
diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c
index 8793f7e..0eff96e 100644
--- a/crypto/dso/dso_vms.c
+++ b/crypto/dso/dso_vms.c
@@ -539,7 +539,8 @@ static char *vms_name_converter(DSO *dso, const char *filename)
{
int len = strlen(filename);
char *not_translated = OPENSSL_malloc(len + 1);
- strcpy(not_translated, filename);
+ if(not_translated)
+ strcpy(not_translated, filename);
return (not_translated);
}
diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index e1e13a6..c6774f4 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -312,15 +312,18 @@ void OBJ_NAME_do_all_sorted(int type,
d.type = type;
d.names =
OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names);
- d.n = 0;
- OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
+ /* Really should return an error if !d.names...but its a void function! */
+ if(d.names) {
+ d.n = 0;
+ OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
- qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
+ qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
- for (n = 0; n < d.n; ++n)
- fn(d.names[n], arg);
+ for (n = 0; n < d.n; ++n)
+ fn(d.names[n], arg);
- OPENSSL_free((void *)d.names);
+ OPENSSL_free((void *)d.names);
+ }
}
static int free_type;
diff --git a/crypto/rand/rand_os2.c b/crypto/rand/rand_os2.c
index 9c4a137..02148d5 100644
--- a/crypto/rand/rand_os2.c
+++ b/crypto/rand/rand_os2.c
@@ -149,6 +149,9 @@ int RAND_poll(void)
if (DosQuerySysState) {
char *buffer = OPENSSL_malloc(256 * 1024);
+ if(!buffer)
+ return 0;
+
if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) {
/*
* First 4 bytes in buffer is a pointer to the thread count there
diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c
index 1b57659..28884c2 100644
--- a/crypto/threads/th-lock.c
+++ b/crypto/threads/th-lock.c
@@ -117,6 +117,10 @@ void CRYPTO_thread_setup(void)
int i;
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+ if(!lock_cs) {
+ /* Nothing we can do about this...void function! */
+ return;
+ }
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
}
@@ -168,6 +172,10 @@ void CRYPTO_thread_setup(void)
# else
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t));
# endif
+ if(!lock_cs) {
+ /* Nothing we can do about this...void function! */
+ return;
+ }
lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_count[i] = 0;
@@ -251,6 +259,12 @@ void CRYPTO_thread_setup(void)
int i;
char filename[20];
+ lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+ if(!lock_cs) {
+ /* Nothing we can do about this...void function! */
+ return;
+ }
+
strcpy(filename, "/tmp/mttest.XXXXXX");
mktemp(filename);
@@ -261,7 +275,6 @@ void CRYPTO_thread_setup(void)
arena = usinit(filename);
unlink(filename);
- lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_cs[i] = usnewsema(arena, 1);
}
@@ -315,6 +328,14 @@ void CRYPTO_thread_setup(void)
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+ if(!lock_cs || !lock_count) {
+ /* Nothing we can do about this...void function! */
+ if(lock_cs)
+ OPENSSL_free(lock_cs);
+ if(lock_count)
+ OPENSSL_free(lock_count);
+ return;
+ }
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_count[i] = 0;
pthread_mutex_init(&(lock_cs[i]), NULL);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index d5ddb60..136d273 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -708,6 +708,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
packlen *= 4;
wb->buf = OPENSSL_malloc(packlen);
+ if(!wb->buf) {
+ SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
wb->len = packlen;
} else if (tot == len) { /* done? */
OPENSSL_free(wb->buf); /* free jumbo buffer */
More information about the openssl-commits
mailing list