[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Fri Aug 26 19:42:45 UTC 2016

The branch OpenSSL_1_0_2-stable has been updated
       via  7fb82d06746f7503323a7846448e095bf8f5ef9e (commit)
      from  06a549c435d6095b33d78f136904c5fc2f7bcf24 (commit)


- Log -----------------------------------------------------------------
commit 7fb82d06746f7503323a7846448e095bf8f5ef9e
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Aug 26 15:14:24 2016 +0100

    SRP_create_verifier does not check for NULL before OPENSSL_cleanse
    
    OPENSSL_cleanse() does not validate its input parameter for NULL so
    SRP_create_verifier() should do so instead. Otherwise a segfault will
    result.
    
    Alternative solution to GitHub PR#1006
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/srp/srp_vfy.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index 986babf..af557a1 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -635,7 +635,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
         BN_free(N_bn);
         BN_free(g_bn);
     }
-    OPENSSL_cleanse(vf, vfsize);
+    if (vf != NULL)
+        OPENSSL_cleanse(vf, vfsize);
     OPENSSL_free(vf);
     BN_clear_free(s);
     BN_clear_free(v);
