[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Wed May 13 14:34:05 UTC 2015

The branch OpenSSL_1_0_2-stable has been updated
       via  eba8bf485a81541ad25a685f13f00a862cc371a8 (commit)
      from  464774d75f91ab84772de71743e3c8c0db9a96a6 (commit)

- Log -----------------------------------------------------------------
commit eba8bf485a81541ad25a685f13f00a862cc371a8
Author: Hanno Böck <hanno at hboeck.de>
Date:   Mon May 11 11:33:37 2015 +0100

    Call of memcmp with null pointers in obj_cmp()
    The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
    situations call memcmp() with a null pointer and a zero length.
    This is invalid behaviour. When compiling openssl with undefined
    behaviour sanitizer (add -fsanitize=undefined to compile flags) this
    can be seen. One example that triggers this behaviour is the pkcs7
    command (but there are others, e.g. I've seen it with the timestamp
    apps/openssl pkcs7 -in test/testp7.pem
    What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
    passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
    structures can have a null pointer as data.
    Signed-off-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 2b8dc08b74fc3c6d4c2fc855cc23bac691d985be)


Summary of changes:
 crypto/objects/obj_dat.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 5cd755d..5ff1294 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -400,6 +400,8 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp)
     j = (a->length - b->length);
     if (j)
         return (j);
+    if (a->length == 0)
+        return 0;
     return (memcmp(a->data, b->data, a->length));

More information about the openssl-commits mailing list