[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon May 23 12:45:49 UTC 2016
The branch master has been updated
via e5a5e3f3db5832f7ba4eff8016bad00f37dada58 (commit)
via a98810bfac37a77750592611bb9f5a22e4634692 (commit)
from 11ed851db0c49f9fdd534fbd8a2791266f32c5b8 (commit)
- Log -----------------------------------------------------------------
commit e5a5e3f3db5832f7ba4eff8016bad00f37dada58
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date: Sun Feb 14 10:42:29 2016 +0100
Add checks on CRYPTO_set_ex_data return value
Fix possible leak in danetest.c
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
commit a98810bfac37a77750592611bb9f5a22e4634692
Author: FdaSilvaYY <fdasilvayy at gmail.com>
Date: Sat Feb 13 19:01:14 2016 +0100
Fix some malloc failure crashes on X509_STORE_CTX_set_ex_data
from BoringSSL 306ece31bcaaed49e0240a2e5555f8901ebb2d45
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/engine/eng_dyn.c | 11 +++++++----
ssl/ssl_cert.c | 4 +++-
test/danetest.c | 8 +++++---
util/indent.pro | 3 ---
4 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c
index af9942c..718599f 100644
--- a/crypto/engine/eng_dyn.c
+++ b/crypto/engine/eng_dyn.c
@@ -154,6 +154,7 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr,
static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
{
dynamic_data_ctx *c = OPENSSL_zalloc(sizeof(*c));
+ int ret = 1;
if (c == NULL) {
ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE);
@@ -173,9 +174,11 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
dynamic_ex_data_idx))
== NULL) {
/* Good, we're the first */
- ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
- *ctx = c;
- c = NULL;
+ ret = ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
+ if (ret) {
+ *ctx = c;
+ c = NULL;
+ }
}
CRYPTO_THREAD_unlock(global_engine_lock);
/*
@@ -185,7 +188,7 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
if (c)
sk_OPENSSL_STRING_free(c->dirs);
OPENSSL_free(c);
- return 1;
+ return ret;
}
/*
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index f285fbe..7481705 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -409,7 +409,9 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
- X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
+ if (!X509_STORE_CTX_set_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+ goto end;
+ }
/* Verify via DANE if enabled */
if (DANETLS_ENABLED(&s->dane))
diff --git a/test/danetest.c b/test/danetest.c
index d914c45..d473b12 100644
--- a/test/danetest.c
+++ b/test/danetest.c
@@ -74,7 +74,7 @@ static void print_errors(void)
static int verify_chain(SSL *ssl, STACK_OF(X509) *chain)
{
- int ret;
+ int ret = -1;
X509_STORE_CTX *store_ctx;
SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl);
X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
@@ -85,8 +85,9 @@ static int verify_chain(SSL *ssl, STACK_OF(X509) *chain)
return -1;
if (!X509_STORE_CTX_init(store_ctx, store, cert, chain))
- return 0;
- X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl);
+ goto end;
+ if (!X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl))
+ goto end;
X509_STORE_CTX_set_default(store_ctx,
SSL_is_server(ssl) ? "ssl_client" : "ssl_server");
@@ -101,6 +102,7 @@ static int verify_chain(SSL *ssl, STACK_OF(X509) *chain)
SSL_set_verify_result(ssl, X509_STORE_CTX_get_error(store_ctx));
X509_STORE_CTX_cleanup(store_ctx);
+end:
X509_STORE_CTX_free(store_ctx);
return (ret);
diff --git a/util/indent.pro b/util/indent.pro
index b7958e3..71997cb 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -187,11 +187,8 @@
-T CRYPTO_EX_DATA_FUNCS
-T CRYPTO_EX_DATA_IMPL
-T CRYPTO_EX_dup
--T CRYPTO_EX_dup
--T CRYPTO_EX_free
-T CRYPTO_EX_free
-T CRYPTO_EX_new
--T CRYPTO_EX_new
-T CRYPTO_MEM_LEAK_CB
-T CRYPTO_THREADID
-T CRYPTO_dynlock_value
More information about the openssl-commits
mailing list