[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Rich Salz rsalz at openssl.org
Fri Aug 19 14:44:38 UTC 2016


The branch OpenSSL_1_0_2-stable has been updated
       via  a03f81f4ead24c234dc26e388d86a352685f3948 (commit)
      from  66e708326524929a0e1631f8d1ef6e63c153922c (commit)


- Log -----------------------------------------------------------------
commit a03f81f4ead24c234dc26e388d86a352685f3948
Author: Rich Salz <rsalz at openssl.org>
Date:   Fri Aug 19 10:31:03 2016 -0400

    Fix NULL-return checks in 1.0.2
    
    RT4386: Add sanity checks for BN_new()
    RT4384: Missing Sanity Checks for RSA_new_method()
    RT4384: Missing Sanity Check plus potential NULL pointer deref
    RT4382: Missing Sanity Check(s) for BUF_strdup()
    RT4380: Missing Sanity Checks for EVP_PKEY_new()
    RT4377: Prevent potential NULL pointer dereference
    RT4375: Missing sanity checks for OPENSSL_malloc()
    RT4374: Potential for NULL pointer dereferences
    RT4371: Missing Sanity Check for malloc()
    RT4370: Potential for NULL pointer dereferences
    
    Also expand tabs, make update, typo fix (rsalz)
    Minor tweak by Paul Dale.
    Some minor internal review feedback.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                    |  3 ++-
 apps/ca.c                      | 20 ++++++++------------
 apps/speed.c                   |  4 ++++
 crypto/asn1/asn_mime.c         |  2 ++
 crypto/bio/bss_rtcp.c          |  2 ++
 crypto/conf/conf_mod.c         |  4 ++++
 crypto/engine/eng_cryptodev.c  |  6 +++++-
 crypto/evp/openbsd_hw.c        | 22 ++++++++++++++++++++++
 crypto/evp/pmeth_gn.c          |  5 +++++
 crypto/jpake/jpake.c           |  4 ++++
 crypto/pkcs7/pk7_doit.c        |  2 ++
 crypto/ui/ui_lib.c             |  2 ++
 crypto/x509/by_dir.c           |  4 ++++
 crypto/x509v3/v3_alt.c         |  2 ++
 doc/crypto/OBJ_nid2obj.pod     |  4 +++-
 engines/ccgost/gost2001.c      |  6 ++++++
 engines/ccgost/gost2001_keyx.c |  2 ++
 engines/ccgost/gost94_keyx.c   |  2 ++
 engines/ccgost/gost_ameth.c    | 14 ++++++++++++++
 engines/ccgost/gost_pmeth.c    |  4 ++++
 engines/e_4758cca.c            |  8 ++++++++
 engines/e_aep.c                |  3 ++-
 engines/e_capi.c               | 13 +++++++++++++
 engines/e_chil.c               | 33 ++++++++++++++++++++++++++++-----
 ssl/d1_both.c                  |  2 ++
 ssl/s3_clnt.c                  |  4 ++++
 ssl/s3_enc.c                   |  4 ++++
 ssl/ssl_ciph.c                 |  5 +++++
 ssl/ssl_sess.c                 |  4 ++++
 ssl/t1_lib.c                   |  2 ++
 30 files changed, 171 insertions(+), 21 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 0385490..08ddbc4 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -215,7 +215,8 @@ int args_from_file(char *file, int *argc, char **argv[])
     if (arg != NULL)
         OPENSSL_free(arg);
     arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
-
+    if (arg == NULL)
+        return 0;
     *argv = arg;
     num = 0;
     p = buf;
diff --git a/apps/ca.c b/apps/ca.c
index 0b66095..0ad7be3 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2103,25 +2103,21 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto err;
 
     /* We now just add it to the database */
-    row[DB_type] = (char *)OPENSSL_malloc(2);
-
     tm = X509_get_notAfter(ret);
-    row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
-    memcpy(row[DB_exp_date], tm->data, tm->length);
-    row[DB_exp_date][tm->length] = '\0';
-
-    row[DB_rev_date] = NULL;
-
-    /* row[DB_serial] done already */
-    row[DB_file] = (char *)OPENSSL_malloc(8);
+    row[DB_type] = OPENSSL_malloc(2);
+    row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+    row[DB_file] = OPENSSL_malloc(8);
     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
     if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
         (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto err;
     }
-    BUF_strlcpy(row[DB_file], "unknown", 8);
+
+    memcpy(row[DB_exp_date], tm->data, tm->length);
+    row[DB_exp_date][tm->length] = '\0';
+    row[DB_rev_date] = '\0';
+    strcpy(row[DB_file], "unknown");
     row[DB_type][0] = 'V';
     row[DB_type][1] = '\0';
 
diff --git a/apps/speed.c b/apps/speed.c
index 95adcc1..b862868 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2614,6 +2614,10 @@ static int do_multi(int multi)
     static char sep[] = ":";
 
     fds = malloc(multi * sizeof *fds);
+    if (fds == NULL) {
+        fprintf(stderr, "Out of memory in speed (do_multi)\n");
+        exit(1);
+    }
     for (n = 0; n < multi; ++n) {
         if (pipe(fd) == -1) {
             fprintf(stderr, "pipe failure\n");
diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index 9fd5bef..5170906 100644
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -623,6 +623,8 @@ static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
                 if (bpart)
                     sk_BIO_push(parts, bpart);
                 bpart = BIO_new(BIO_s_mem());
+                if (bpart == NULL)
+                    return 1;
                 BIO_set_mem_eof_return(bpart, 0);
             } else if (eol)
                 BIO_write(bpart, "\r\n", 2);
diff --git a/crypto/bio/bss_rtcp.c b/crypto/bio/bss_rtcp.c
index 09f14f4..5c98a82 100644
--- a/crypto/bio/bss_rtcp.c
+++ b/crypto/bio/bss_rtcp.c
@@ -170,6 +170,8 @@ static int rtcp_new(BIO *bi)
     bi->num = 0;
     bi->flags = 0;
     bi->ptr = OPENSSL_malloc(sizeof(struct rpc_ctx));
+    if (bi->ptr == NULL)
+        return (0);
     ctx = (struct rpc_ctx *)bi->ptr;
     ctx->filled = 0;
     ctx->pos = 0;
diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
index 9acfca4..e0c9a67 100644
--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -288,6 +288,10 @@ static CONF_MODULE *module_add(DSO *dso, const char *name,
 
     tmod->dso = dso;
     tmod->name = BUF_strdup(name);
+    if (tmod->name == NULL) {
+        OPENSSL_free(tmod);
+        return NULL;
+    }
     tmod->init = ifunc;
     tmod->finish = ffunc;
     tmod->links = 0;
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 5a2ca6d..65a74df 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -935,11 +935,15 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
         return (0);
     }
 
+    dstate->mac_len = fstate->mac_len;
     if (fstate->mac_len != 0) {
         if (fstate->mac_data != NULL) {
             dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+            if (dstate->ac_data == NULL) {
+                printf("cryptodev_digest_init: malloc failed\n");
+                return 0;
+            }
             memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
-            dstate->mac_len = fstate->mac_len;
         }
     }
 
diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c
index 75d12e2..07decf2 100644
--- a/crypto/evp/openbsd_hw.c
+++ b/crypto/evp/openbsd_hw.c
@@ -133,6 +133,10 @@ static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx, int cipher,
         return 0;
 
     CDATA(ctx)->key = OPENSSL_malloc(MAX_HW_KEY);
+    if (CDATA(ctx)->key == NULL {
+        err("CDATA(ctx)->key memory allocation failed");
+        return 0;
+    }
 
     assert(ctx->cipher->iv_len <= MAX_HW_IV);
 
@@ -186,6 +190,11 @@ static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
             if (((unsigned long)in & 3) || cinl != inl) {
                 cin = OPENSSL_malloc(cinl);
+                if (cin == NULL) {
+                    err("cin - memory allocation failed");
+                    abort();
+                    return 0;
+                }
                 memcpy(cin, in, inl);
                 cryp.src = cin;
             }
@@ -334,6 +343,11 @@ static int do_digest(int ses, unsigned char *md, const void *data, int len)
             char *dcopy;
 
             dcopy = OPENSSL_malloc(len);
+            if (dcopy == NULL) {
+                err("dcopy - memory allocation failed");
+                abort();
+                return 0;
+            }
             memcpy(dcopy, data, len);
             cryp.src = dcopy;
             cryp.dst = cryp.src; // FIXME!!!
@@ -364,6 +378,10 @@ static int dev_crypto_md5_update(EVP_MD_CTX *ctx, const void *data,
         return do_digest(md_data->sess.ses, md_data->md, data, len);
 
     md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);
+    if (md_data->data == NULL) {
+        err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory");
+        abort();
+    }
     memcpy(md_data->data + md_data->len, data, len);
     md_data->len += len;
 
@@ -397,6 +415,10 @@ static int dev_crypto_md5_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
     assert(from->digest->flags & EVP_MD_FLAG_ONESHOT);
 
     to_md->data = OPENSSL_malloc(from_md->len);
+    if (to_md->data == NULL) {
+        err("DEV_CRYPTO_MD5_COPY: unable to allocate memory");
+        abort();
+    }
     memcpy(to_md->data, from_md->data, from_md->len);
 
     return 1;
diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c
index 6a4d357..6d7b5d7 100644
--- a/crypto/evp/pmeth_gn.c
+++ b/crypto/evp/pmeth_gn.c
@@ -154,6 +154,11 @@ int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey)
     if (*ppkey == NULL)
         return -1;
 
+    if (*ppkey == NULL) {
+        EVPerr(EVP_F_EVP_PKEY_KEYGEN, ERR_R_MALLOC_FAILURE);
+        return -1;
+    }
+
     ret = ctx->pmeth->keygen(ctx, *ppkey);
     if (ret <= 0) {
         EVP_PKEY_free(*ppkey);
diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c
index ebc0975..1815735 100644
--- a/crypto/jpake/jpake.c
+++ b/crypto/jpake/jpake.c
@@ -116,6 +116,8 @@ JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name,
                          const BIGNUM *secret)
 {
     JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+    if (ctx == NULL)
+        return NULL;
 
     JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
 
@@ -151,6 +153,8 @@ static void hashbn(SHA_CTX *sha, const BIGNUM *bn)
     size_t l = BN_num_bytes(bn);
     unsigned char *bin = OPENSSL_malloc(l);
 
+    if (bin == NULL)
+        return NULL;
     hashlength(sha, l);
     BN_bn2bin(bn, bin);
     SHA1_Update(sha, bin, l);
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 1ab6d5a..6cf8253 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -642,6 +642,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     } else {
 # if 0
         bio = BIO_new(BIO_s_mem());
+        if (bio == NULL)
+            goto err;
         /*
          * We need to set this so that when we have read all the data, the
          * encrypt BIO, if present, will read EOF and encode the last few
diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index 2f58035..d25b4f3 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@@ -413,6 +413,8 @@ char *UI_construct_prompt(UI *ui, const char *object_desc,
         len += sizeof(prompt3) - 1;
 
         prompt = (char *)OPENSSL_malloc(len + 1);
+        if (prompt == NULL)
+            return NULL;
         BUF_strlcpy(prompt, prompt1, len + 1);
         BUF_strlcat(prompt, object_desc, len + 1);
         if (object_name) {
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 9ee8f8d..bbc3189 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -401,6 +401,10 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
             }
             if (!hent) {
                 hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
+                if (hent == NULL) {
+                    X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE);
+                    goto finish;
+                }
                 hent->hash = h;
                 hent->suffix = k;
                 if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c
index 22ec202..7f1e71d 100644
--- a/crypto/x509v3/v3_alt.c
+++ b/crypto/x509v3/v3_alt.c
@@ -573,6 +573,8 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
         return 0;
     objlen = p - value;
     objtmp = OPENSSL_malloc(objlen + 1);
+    if (objtmp == NULL)
+        return 0;
     strncpy(objtmp, value, objlen);
     objtmp[objlen] = 0;
     gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
diff --git a/doc/crypto/OBJ_nid2obj.pod b/doc/crypto/OBJ_nid2obj.pod
index 2431398..b8d2896 100644
--- a/doc/crypto/OBJ_nid2obj.pod
+++ b/doc/crypto/OBJ_nid2obj.pod
@@ -122,7 +122,7 @@ Create an object for B<commonName>:
 Check if an object is B<commonName>
 
  if (OBJ_obj2nid(obj) == NID_commonName)
-	/* Do something */
+        /* Do something */
 
 Create a new NID and initialize an object from it:
 
@@ -150,6 +150,8 @@ than enough to handle any OID encountered in practice.
 
 OBJ_nid2obj() returns an B<ASN1_OBJECT> structure or B<NULL> is an
 error occurred.
+It returns a pointer to an internal table and does not
+allocate memory; ASN1_OBJECT_free() will have no effect.
 
 OBJ_nid2ln() and OBJ_nid2sn() returns a valid string or B<NULL>
 on error.
diff --git a/engines/ccgost/gost2001.c b/engines/ccgost/gost2001.c
index 9536295..57f6ee2 100644
--- a/engines/ccgost/gost2001.c
+++ b/engines/ccgost/gost2001.c
@@ -434,6 +434,12 @@ int gost2001_compute_public(EC_KEY *ec)
 int gost2001_keygen(EC_KEY *ec)
 {
     BIGNUM *order = BN_new(), *d = BN_new();
+    if (order == NULL || d == NULL) {
+        GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_MALLOC_FAILURE);
+        BN_free(d);
+        BN_free(order);
+        return 0;
+    }
     const EC_GROUP *group = EC_KEY_get0_group(ec);
 
     if(!group || !EC_GROUP_get_order(group, order, NULL)) {
diff --git a/engines/ccgost/gost2001_keyx.c b/engines/ccgost/gost2001_keyx.c
index db1bdc1..ac7862e 100644
--- a/engines/ccgost/gost2001_keyx.c
+++ b/engines/ccgost/gost2001_keyx.c
@@ -147,6 +147,8 @@ int pkey_GOST01cp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out,
         key_is_ephemeral = 1;
         if (out) {
             sec_key = EVP_PKEY_new();
+            if (sec_key == NULL)
+                goto err;
             EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new());
             EVP_PKEY_copy_parameters(sec_key, pubk);
             if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) {
diff --git a/engines/ccgost/gost94_keyx.c b/engines/ccgost/gost94_keyx.c
index ce57f17..3532bff 100644
--- a/engines/ccgost/gost94_keyx.c
+++ b/engines/ccgost/gost94_keyx.c
@@ -126,6 +126,8 @@ int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
         key_is_ephemeral = 1;
         if (out) {
             mykey = EVP_PKEY_new();
+            if (!mykey)
+                goto memerr;
             EVP_PKEY_assign(mykey, EVP_PKEY_base_id(pubk), DSA_new());
             EVP_PKEY_copy_parameters(mykey, pubk);
             if (!gost_sign_keygen(EVP_PKEY_get0(mykey))) {
diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c
index b7c5354..8283f19 100644
--- a/engines/ccgost/gost_ameth.c
+++ b/engines/ccgost/gost_ameth.c
@@ -617,6 +617,10 @@ static int pub_decode_gost94(EVP_PKEY *pk, X509_PUBKEY *pub)
         return 0;
     }
     databuf = OPENSSL_malloc(octet->length);
+    if (databuf == NULL) {
+        GOSTerr(GOST_F_PUB_DECODE_GOST94, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
     for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) {
         databuf[j] = octet->data[i];
     }
@@ -646,6 +650,8 @@ static int pub_encode_gost94(X509_PUBKEY *pub, const EVP_PKEY *pk)
     }
     data_len = BN_num_bytes(dsa->pub_key);
     databuf = OPENSSL_malloc(data_len);
+    if (databuf == NULL)
+        return 0;
     BN_bn2bin(dsa->pub_key, databuf);
     octet = ASN1_OCTET_STRING_new();
     ASN1_STRING_set(octet, NULL, data_len);
@@ -686,6 +692,10 @@ static int pub_decode_gost01(EVP_PKEY *pk, X509_PUBKEY *pub)
         return 0;
     }
     databuf = OPENSSL_malloc(octet->length);
+    if (databuf == NULL) {
+        GOSTerr(GOST_F_PUB_DECODE_GOST01, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
     for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) {
         databuf[j] = octet->data[i];
     }
@@ -760,6 +770,10 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk)
     data_len = 2 * BN_num_bytes(order);
     BN_free(order);
     databuf = OPENSSL_malloc(data_len);
+    if (databuf == NULL) {
+        GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
     memset(databuf, 0, data_len);
 
     store_bignum(X, databuf + data_len / 2, data_len / 2);
diff --git a/engines/ccgost/gost_pmeth.c b/engines/ccgost/gost_pmeth.c
index 4a79a85..6968292 100644
--- a/engines/ccgost/gost_pmeth.c
+++ b/engines/ccgost/gost_pmeth.c
@@ -107,6 +107,8 @@ static int pkey_gost_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
     case EVP_PKEY_CTRL_SET_IV:
         pctx->shared_ukm = OPENSSL_malloc((int)p1);
+        if (pctx->shared_ukm == NULL)
+            return 0;
         memcpy(pctx->shared_ukm, p2, (int)p1);
         return 1;
     case EVP_PKEY_CTRL_PEER_KEY:
@@ -533,6 +535,8 @@ static int pkey_gost_mac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
         return 0;
     }
     keydata = OPENSSL_malloc(32);
+    if (keydata == NULL)
+        return 0;
     memcpy(keydata, data->key, 32);
     EVP_PKEY_assign(pkey, NID_id_Gost28147_89_MAC, keydata);
     return 1;
diff --git a/engines/e_4758cca.c b/engines/e_4758cca.c
index 5f77198..60ba4ab 100644
--- a/engines/e_4758cca.c
+++ b/engines/e_4758cca.c
@@ -463,6 +463,10 @@ static EVP_PKEY *ibm_4758_load_privkey(ENGINE *e, const char *key_id,
 
     (*(long *)keyToken) = keyTokenLength;
     rtmp = RSA_new_method(e);
+    if (rtmp == NULL) {
+        CCA4758err(CCA4758_F_IBM_4758_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
 
     rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
@@ -535,6 +539,10 @@ static EVP_PKEY *ibm_4758_load_pubkey(ENGINE *e, const char *key_id,
 
     (*(long *)keyToken) = keyTokenLength;
     rtmp = RSA_new_method(e);
+    if (rtmp == NULL) {
+        CCA4758err(CCA4758_F_IBM_4758_LOAD_PUBKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     RSA_set_ex_data(rtmp, hndidx, (char *)keyToken);
     rtmp->e = BN_bin2bn(exponent, exponentLength, NULL);
     rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL);
diff --git a/engines/e_aep.c b/engines/e_aep.c
index 9bfda76..4e97d29 100644
--- a/engines/e_aep.c
+++ b/engines/e_aep.c
@@ -1137,7 +1137,8 @@ static AEP_RV ConvertAEPBigNum(void *ArbBigNum, AEP_U32 BigNumSize,
     /*
      * Expand the result bn so that it can hold our big num. Size is in bits
      */
-    bn_expand(bn, (int)(BigNumSize << 3));
+    if (bn_expand(bn, (int)(BigNumSize << 3)) == NULL)
+        return AEP_R_HOST_MEMORY;
 
 #  ifdef SIXTY_FOUR_BIT_LONG
     bn->top = BigNumSize >> 3;
diff --git a/engines/e_capi.c b/engines/e_capi.c
index 6e52463..8c08872 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -1106,6 +1106,10 @@ static int capi_get_provname(CAPI_CTX * ctx, LPSTR * pname, DWORD * ptype,
         name = alloca(len);
     else
         name = OPENSSL_malloc(len);
+    if (name == NULL) {
+        CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
     if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) {
         err = GetLastError();
         if (err == ERROR_NO_MORE_ITEMS)
@@ -1286,6 +1290,10 @@ char *capi_cert_get_fname(CAPI_CTX * ctx, PCCERT_CONTEXT cert)
         (cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen))
         return NULL;
     wfname = OPENSSL_malloc(dlen);
+    if (wfname == NULL) {
+        CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
     if (CertGetCertificateContextProperty
         (cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) {
         char *fname = wide_to_asc(wfname);
@@ -1436,6 +1444,11 @@ static CAPI_KEY *capi_get_key(CAPI_CTX * ctx, const TCHAR *contname,
     CAPI_KEY *key;
     DWORD dwFlags = 0;
     key = OPENSSL_malloc(sizeof(CAPI_KEY));
+    if (key == NULL) {
+        CAPIerr(CAPI_F_CAPI_GET_KEY, ERR_R_MALLOC_FAILURE);
+        capi_addlasterror();
+        goto err;
+    }
     if (sizeof(TCHAR) == sizeof(char))
         CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
                    contname, provname, ptype);
diff --git a/engines/e_chil.c b/engines/e_chil.c
index 5e725f5..d5e4cb6 100644
--- a/engines/e_chil.c
+++ b/engines/e_chil.c
@@ -810,9 +810,17 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
 #  endif
 #  ifndef OPENSSL_NO_RSA
     rtmp = RSA_new_method(eng);
+    if (rtmp == NULL) {
+        HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr);
     rtmp->e = BN_new();
     rtmp->n = BN_new();
+    if (rtmp->e == NULL || rtmp->n == NULL) {
+        HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     rtmp->flags |= RSA_FLAG_EXT_PKEY;
     MPI2BN(rtmp->e, e);
     MPI2BN(rtmp->n, n);
@@ -823,8 +831,14 @@ static EVP_PKEY *hwcrhk_load_privkey(ENGINE *eng, const char *key_id,
         goto err;
     }
 
-    bn_expand2(rtmp->e, e.size / sizeof(BN_ULONG));
-    bn_expand2(rtmp->n, n.size / sizeof(BN_ULONG));
+    if (bn_expand2(rtmp->e, e.size / sizeof(BN_ULONG)) == NULL) {
+        HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    if (bn_expand2(rtmp->n, n.size / sizeof(BN_ULONG)) == NULL) {
+        HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     MPI2BN(rtmp->e, e);
     MPI2BN(rtmp->n, n);
 
@@ -923,7 +937,10 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
         goto err;
     }
     /* Prepare the params */
-    bn_expand2(r, m->top);      /* Check for error !! */
+    if (bn_expand2(r, m->top) == NULL) {     /* Check for error !! */
+        HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     BN2MPI(m_a, a);
     BN2MPI(m_p, p);
     BN2MPI(m_n, m);
@@ -989,7 +1006,10 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
         }
 
         /* Prepare the params */
-        bn_expand2(r, rsa->n->top); /* Check for error !! */
+        if (bn_expand2(r, rsa->n->top) == NULL) { /* Check for error !! */
+            HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
         BN2MPI(m_a, I);
         MPI2BN(r, m_r);
 
@@ -1026,7 +1046,10 @@ static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa,
         }
 
         /* Prepare the params */
-        bn_expand2(r, rsa->n->top); /* Check for error !! */
+        if (bn_expand2(r, rsa->n->top) == NULL) { /* Check for error !! */
+            HWCRHKerr(HWCRHK_F_HWCRHK_RSA_MOD_EXP, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
         BN2MPI(m_a, I);
         BN2MPI(m_p, rsa->p);
         BN2MPI(m_q, rsa->q);
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index b5900de..c412711 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1546,6 +1546,8 @@ int dtls1_heartbeat(SSL *s)
      *  - Padding
      */
     buf = OPENSSL_malloc(1 + 2 + payload + padding);
+    if (buf == NULL)
+        goto err;
     p = buf;
     /* Message Type */
     *p++ = TLS1_HB_REQUEST;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 19dc864..36833f7 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2111,6 +2111,10 @@ int ssl3_get_certificate_request(SSL *s)
     if (ctype_num > SSL3_CT_NUMBER) {
         /* If we exceed static buffer copy all to cert structure */
         s->cert->ctypes = OPENSSL_malloc(ctype_num);
+        if (s->cert->ctypes == NULL) {
+            SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
         memcpy(s->cert->ctypes, p, ctype_num);
         s->cert->ctype_num = (size_t)ctype_num;
         ctype_num = SSL3_CT_NUMBER;
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index b9fc0c7..fbc954d 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -607,6 +607,10 @@ int ssl3_digest_cached_records(SSL *s)
     ssl3_free_digest_list(s);
     s->s3->handshake_dgst =
         OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+    if (s->s3->handshake_dgst == NULL) {
+        SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
     memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
     if (hdatalen <= 0) {
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index d500dac..2ad8f43 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -2006,6 +2006,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 
     MemCheck_off();
     comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+    if (comp == NULL) {
+        MemCheck_on();
+        SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);
+        return 1;
+    }
     comp->id = id;
     comp->method = cm;
     load_builtin_compressions();
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index ba5737f..1dd6e6b 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -919,6 +919,10 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
             session->krb5_client_princ_len > 0) {
             s->kssl_ctx->client_princ =
                 (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
+            if (s->kssl_ctx->client_princ == NULL) {
+                SSLerr(SSL_F_SSL_SET_SESSION, ERR_R_MALLOC_FAILURE);
+                return 0;
+            }
             memcpy(s->kssl_ctx->client_princ, session->krb5_client_princ,
                    session->krb5_client_princ_len);
             s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8071b4a..7d322d0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3984,6 +3984,8 @@ int tls1_heartbeat(SSL *s)
      *  - Padding
      */
     buf = OPENSSL_malloc(1 + 2 + payload + padding);
+    if (buf == NULL)
+        return -1;
     p = buf;
     /* Message Type */
     *p++ = TLS1_HB_REQUEST;


More information about the openssl-commits mailing list