[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Fri Apr 16 02:13:29 UTC 2021


The branch master has been updated
       via  42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (commit)
      from  34ed73339602c361d09fe4233d65cef996356239 (commit)


- Log -----------------------------------------------------------------
commit 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Mon Apr 12 13:58:14 2021 +1000

    Add more negative checks for integers passed to OPENSSL_malloc().
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14830)

-----------------------------------------------------------------------

Summary of changes:
 apps/lib/app_x509.c      |  2 +-
 crypto/asn1/a_dup.c      |  3 +++
 crypto/asn1/a_int.c      |  6 +++++-
 crypto/asn1/a_mbstr.c    |  2 ++
 crypto/asn1/bio_asn1.c   |  2 +-
 crypto/asn1/p5_pbe.c     |  2 ++
 crypto/asn1/p5_pbev2.c   |  2 ++
 crypto/asn1/tasn_utl.c   |  2 ++
 crypto/bio/bf_buff.c     | 10 +++++++---
 crypto/bio/bf_lbuf.c     |  4 +++-
 crypto/bio/bss_log.c     |  2 ++
 crypto/ess/ess_lib.c     |  4 ++++
 crypto/pkcs12/p12_mutl.c |  2 ++
 crypto/pkcs12/p12_utl.c  |  5 +++++
 crypto/x509/t_x509.c     |  2 ++
 crypto/x509/v3_conf.c    |  2 ++
 crypto/x509/v3_ia5.c     |  2 +-
 crypto/x509/x509spki.c   |  3 +++
 18 files changed, 49 insertions(+), 8 deletions(-)

diff --git a/apps/lib/app_x509.c b/apps/lib/app_x509.c
index 00581aabbd..3d9e4fd697 100644
--- a/apps/lib/app_x509.c
+++ b/apps/lib/app_x509.c
@@ -26,7 +26,7 @@ static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
 
     if (v == NULL) {
         BIO_printf(bio_err, "error: allocation failed\n");
-    } else if (!ASN1_OCTET_STRING_set(v, value, value_n)) {
+    } else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
         ASN1_OCTET_STRING_free(v);
         v = NULL;
     }
diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index bdefa448ec..263c8a0c5e 100644
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
         return NULL;
 
     i = i2d(x, NULL);
+    if (i <= 0)
+        return NULL;
+
     b = OPENSSL_malloc(i + 10);
     if (b == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d..19e41ec73e 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
     ASN1_INTEGER *ret = NULL;
     const unsigned char *p;
     unsigned char *s;
-    long len;
+    long len = 0;
     int inf, tag, xclass;
     int i;
 
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
         goto err;
     }
 
+    if (len < 0) {
+        i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+        goto err;
+    }
     /*
      * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
      * a missing NULL parameter.
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 208a383af2..22dea873ee 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
         len = strlen((const char *)in);
     if (!mask)
         mask = DIRSTRING_TYPE;
+    if (len < 0)
+        return -1;
 
     /* First do a string check and work out the number of characters */
     switch (inform) {
diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index dc99e2d7c2..19af059a2c 100644
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
 
 static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
 {
-    if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
+    if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
     }
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index b6388cd12f..fb43044822 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
     }
     if (!saltlen)
         saltlen = PKCS5_SALT_LEN;
+    if (saltlen < 0)
+        goto err;
 
     sstr = OPENSSL_malloc(saltlen);
     if (sstr == NULL) {
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 738e3a0d10..1049f01905 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
     kdf->salt->value.octet_string = osalt;
     kdf->salt->type = V_ASN1_OCTET_STRING;
 
+    if (saltlen < 0)
+        goto merr;
     if (saltlen == 0)
         saltlen = PKCS5_SALT_LEN;
     if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 12a6b15999..28a4b23aa4 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
         return 1;
 
     OPENSSL_free(enc->enc);
+    if (inlen <= 0)
+        return 0;
     if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
         ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
         return 0;
diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index 46eff55447..157bc3af45 100644
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -289,7 +289,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         break;
     case BIO_C_SET_BUFF_READ_DATA:
         if (num > ctx->ibuf_size) {
-            p1 = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p1 = OPENSSL_malloc((size_t)num);
             if (p1 == NULL)
                 goto malloc_error;
             OPENSSL_free(ctx->ibuf);
@@ -318,12 +320,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         p1 = ctx->ibuf;
         p2 = ctx->obuf;
         if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) {
-            p1 = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p1 = OPENSSL_malloc((size_t)num);
             if (p1 == NULL)
                 goto malloc_error;
         }
         if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p2 = OPENSSL_malloc((int)num);
+            p2 = OPENSSL_malloc((size_t)num);
             if (p2 == NULL) {
                 if (p1 != ctx->ibuf)
                     OPENSSL_free(p1);
diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
index b1f8d68658..14e2e6613d 100644
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -235,7 +235,9 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         obs = (int)num;
         p = ctx->obuf;
         if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) {
-            p = OPENSSL_malloc((int)num);
+            if (num <= 0)
+                return 0;
+            p = OPENSSL_malloc((size_t)num);
             if (p == NULL)
                 goto malloc_error;
         }
diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c
index 1669948f27..23ba8aeb73 100644
--- a/crypto/bio/bss_log.c
+++ b/crypto/bio/bss_log.c
@@ -196,6 +196,8 @@ static int slg_write(BIO *b, const char *in, int inl)
         /* The default */
     };
 
+    if (inl < 0)
+        return 0;
     if ((buf = OPENSSL_malloc(inl + 1)) == NULL) {
         ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
         return 0;
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 96cb6d053f..ebfe5b93c7 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -223,6 +223,8 @@ int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
     int len;
 
     len = i2d_ESS_SIGNING_CERT(sc, NULL);
+    if (len <= 0)
+        goto err;
     if ((pp = OPENSSL_malloc(len)) == NULL) {
         ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
         goto err;
@@ -251,6 +253,8 @@ int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc)
     unsigned char *p, *pp = NULL;
     int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
 
+    if (len <= 0)
+        goto err;
     if ((pp = OPENSSL_malloc(len)) == NULL) {
         ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
         goto err;
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index acf90051c4..70b3ec702b 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -234,6 +234,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
     }
     if (!saltlen)
         saltlen = PKCS12_SALT_LEN;
+    if (saltlen < 0)
+        return 0;
     if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
         return 0;
diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index af5b628c0f..c3afb6aca1 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -21,6 +21,8 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
 
     if (asclen == -1)
         asclen = strlen(asc);
+    if (asclen < 0)
+        return NULL;
     ulen = asclen * 2 + 2;
     if ((unitmp = OPENSSL_malloc(ulen)) == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
@@ -44,9 +46,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
 {
     int asclen, i;
     char *asctmp;
+
     /* string must contain an even number of bytes */
     if (unilen & 1)
         return NULL;
+    if (unilen < 0)
+        return NULL;
     asclen = unilen / 2;
     /* If no terminating zero allow for one */
     if (!unilen || uni[unilen - 1])
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 5ae952ad1f..0c6d5f72fe 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -236,6 +236,8 @@ int X509_ocspid_print(BIO *bp, X509 *x)
         goto err;
     subj = X509_get_subject_name(x);
     derlen = i2d_X509_NAME(subj, NULL);
+    if (derlen <= 0)
+        goto err;
     if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
         goto err;
     i2d_X509_NAME(subj, &dertmp);
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index 7ec4727c4d..f8a7dfe840 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -154,6 +154,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
         unsigned char *p;
 
         ext_len = method->i2d(ext_struc, NULL);
+        if (ext_len <= 0)
+            goto merr;
         if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
             goto merr;
         p = ext_der;
diff --git a/crypto/x509/v3_ia5.c b/crypto/x509/v3_ia5.c
index c1204eb8fa..6722b6c01f 100644
--- a/crypto/x509/v3_ia5.c
+++ b/crypto/x509/v3_ia5.c
@@ -29,7 +29,7 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
 {
     char *tmp;
 
-    if (ia5 == NULL || ia5->length == 0)
+    if (ia5 == NULL || ia5->length <= 0)
         return NULL;
     if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
         ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c
index 2e6e7e9f9b..1d371c4761 100644
--- a/crypto/x509/x509spki.c
+++ b/crypto/x509/x509spki.c
@@ -58,7 +58,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
     unsigned char *der_spki, *p;
     char *b64_str;
     int der_len;
+
     der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+    if (der_len <= 0)
+        return NULL;
     der_spki = OPENSSL_malloc(der_len);
     b64_str = OPENSSL_malloc(der_len * 2);
     if (der_spki == NULL || b64_str == NULL) {


More information about the openssl-commits mailing list