[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Rich Salz rsalz at openssl.org
Tue Feb 14 19:35:57 UTC 2017

The branch OpenSSL_1_1_0-stable has been updated
       via  be31d57686a551261cfd5deb95c9553402942a43 (commit)
      from  dff827da751525b0e32ecb59a1d382b03f34a4de (commit)

- Log -----------------------------------------------------------------
commit be31d57686a551261cfd5deb95c9553402942a43
Author: Guido Vranken <guidovranken at gmail.com>
Date:   Mon Feb 13 01:36:43 2017 +0100

    Prevent allocations of size 0 in sh_init.
    which are not possible with the default OPENSSL_zalloc, but are possible if
    the user has installed their own allocator using CRYPTO_set_mem_functions. If
    the 0-allocations succeeds, the secure heap code will later access
    (at least) the first byte of that space, which is technically an OOB
    access. This could lead to problems with some custom allocators that only
    return a valid pointer for subsequent free()-ing, and do not expect that
    the pointer is actually dereferenced.
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2605)
    (cherry picked from commit 7f07149d25f8d7e00e9350ff2f064a4d25c1a13d)


Summary of changes:
 crypto/mem_sec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 4ccff34..0c79b43 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -356,6 +356,10 @@ static int sh_init(size_t size, int minsize)
     sh.minsize = minsize;
     sh.bittable_size = (sh.arena_size / sh.minsize) * 2;
+    /* Prevent allocations of size 0 later on */
+    if (sh.bittable_size >> 3 == 0)
+        goto err;
     sh.freelist_size = -1;
     for (i = sh.bittable_size; i; i >>= 1)

More information about the openssl-commits mailing list