[openssl] master update
shane.lontis at oracle.com
shane.lontis at oracle.com
Fri Apr 16 02:13:29 UTC 2021
The branch master has been updated
via 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (commit)
from 34ed73339602c361d09fe4233d65cef996356239 (commit)
- Log -----------------------------------------------------------------
commit 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0
Author: Shane Lontis <shane.lontis at oracle.com>
Date: Mon Apr 12 13:58:14 2021 +1000
Add more negative checks for integers passed to OPENSSL_malloc().
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)
-----------------------------------------------------------------------
Summary of changes:
apps/lib/app_x509.c | 2 +-
crypto/asn1/a_dup.c | 3 +++
crypto/asn1/a_int.c | 6 +++++-
crypto/asn1/a_mbstr.c | 2 ++
crypto/asn1/bio_asn1.c | 2 +-
crypto/asn1/p5_pbe.c | 2 ++
crypto/asn1/p5_pbev2.c | 2 ++
crypto/asn1/tasn_utl.c | 2 ++
crypto/bio/bf_buff.c | 10 +++++++---
crypto/bio/bf_lbuf.c | 4 +++-
crypto/bio/bss_log.c | 2 ++
crypto/ess/ess_lib.c | 4 ++++
crypto/pkcs12/p12_mutl.c | 2 ++
crypto/pkcs12/p12_utl.c | 5 +++++
crypto/x509/t_x509.c | 2 ++
crypto/x509/v3_conf.c | 2 ++
crypto/x509/v3_ia5.c | 2 +-
crypto/x509/x509spki.c | 3 +++
18 files changed, 49 insertions(+), 8 deletions(-)
diff --git a/apps/lib/app_x509.c b/apps/lib/app_x509.c
index 00581aabbd..3d9e4fd697 100644
--- a/apps/lib/app_x509.c
+++ b/apps/lib/app_x509.c
@@ -26,7 +26,7 @@ static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
if (v == NULL) {
BIO_printf(bio_err, "error: allocation failed\n");
- } else if (!ASN1_OCTET_STRING_set(v, value, value_n)) {
+ } else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
ASN1_OCTET_STRING_free(v);
v = NULL;
}
diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index bdefa448ec..263c8a0c5e 100644
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
return NULL;
i = i2d(x, NULL);
+ if (i <= 0)
+ return NULL;
+
b = OPENSSL_malloc(i + 10);
if (b == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d..19e41ec73e 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
ASN1_INTEGER *ret = NULL;
const unsigned char *p;
unsigned char *s;
- long len;
+ long len = 0;
int inf, tag, xclass;
int i;
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
goto err;
}
+ if (len < 0) {
+ i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+ goto err;
+ }
/*
* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
* a missing NULL parameter.
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 208a383af2..22dea873ee 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
len = strlen((const char *)in);
if (!mask)
mask = DIRSTRING_TYPE;
+ if (len < 0)
+ return -1;
/* First do a string check and work out the number of characters */
switch (inform) {
diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index dc99e2d7c2..19af059a2c 100644
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
{
- if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
+ if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index b6388cd12f..fb43044822 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
}
if (!saltlen)
saltlen = PKCS5_SALT_LEN;
+ if (saltlen < 0)
+ goto err;
sstr = OPENSSL_malloc(saltlen);
if (sstr == NULL) {
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 738e3a0d10..1049f01905 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
kdf->salt->value.octet_string = osalt;
kdf->salt->type = V_ASN1_OCTET_STRING;
+ if (saltlen < 0)
+ goto merr;
if (saltlen == 0)
saltlen = PKCS5_SALT_LEN;
if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 12a6b15999..28a4b23aa4 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
return 1;
OPENSSL_free(enc->enc);
+ if (inlen <= 0)
+ return 0;
if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index 46eff55447..157bc3af45 100644
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -289,7 +289,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
break;
case BIO_C_SET_BUFF_READ_DATA:
if (num > ctx->ibuf_size) {
- p1 = OPENSSL_malloc((int)num);
+ if (num <= 0)
+ return 0;
+ p1 = OPENSSL_malloc((size_t)num);
if (p1 == NULL)
goto malloc_error;
OPENSSL_free(ctx->ibuf);
@@ -318,12 +320,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
p1 = ctx->ibuf;
p2 = ctx->obuf;
if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) {
- p1 = OPENSSL_malloc((int)num);
+ if (num <= 0)
+ return 0;
+ p1 = OPENSSL_malloc((size_t)num);
if (p1 == NULL)
goto malloc_error;
}
if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) {
- p2 = OPENSSL_malloc((int)num);
+ p2 = OPENSSL_malloc((size_t)num);
if (p2 == NULL) {
if (p1 != ctx->ibuf)
OPENSSL_free(p1);
diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
index b1f8d68658..14e2e6613d 100644
--- a/crypto/bio/bf_lbuf.c
+++ b/crypto/bio/bf_lbuf.c
@@ -235,7 +235,9 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
obs = (int)num;
p = ctx->obuf;
if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) {
- p = OPENSSL_malloc((int)num);
+ if (num <= 0)
+ return 0;
+ p = OPENSSL_malloc((size_t)num);
if (p == NULL)
goto malloc_error;
}
diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c
index 1669948f27..23ba8aeb73 100644
--- a/crypto/bio/bss_log.c
+++ b/crypto/bio/bss_log.c
@@ -196,6 +196,8 @@ static int slg_write(BIO *b, const char *in, int inl)
/* The default */
};
+ if (inl < 0)
+ return 0;
if ((buf = OPENSSL_malloc(inl + 1)) == NULL) {
ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 96cb6d053f..ebfe5b93c7 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -223,6 +223,8 @@ int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
int len;
len = i2d_ESS_SIGNING_CERT(sc, NULL);
+ if (len <= 0)
+ goto err;
if ((pp = OPENSSL_malloc(len)) == NULL) {
ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
goto err;
@@ -251,6 +253,8 @@ int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc)
unsigned char *p, *pp = NULL;
int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+ if (len <= 0)
+ goto err;
if ((pp = OPENSSL_malloc(len)) == NULL) {
ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
goto err;
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index acf90051c4..70b3ec702b 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -234,6 +234,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
}
if (!saltlen)
saltlen = PKCS12_SALT_LEN;
+ if (saltlen < 0)
+ return 0;
if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
return 0;
diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index af5b628c0f..c3afb6aca1 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -21,6 +21,8 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
if (asclen == -1)
asclen = strlen(asc);
+ if (asclen < 0)
+ return NULL;
ulen = asclen * 2 + 2;
if ((unitmp = OPENSSL_malloc(ulen)) == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
@@ -44,9 +46,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
+
/* string must contain an even number of bytes */
if (unilen & 1)
return NULL;
+ if (unilen < 0)
+ return NULL;
asclen = unilen / 2;
/* If no terminating zero allow for one */
if (!unilen || uni[unilen - 1])
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 5ae952ad1f..0c6d5f72fe 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -236,6 +236,8 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
subj = X509_get_subject_name(x);
derlen = i2d_X509_NAME(subj, NULL);
+ if (derlen <= 0)
+ goto err;
if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
goto err;
i2d_X509_NAME(subj, &dertmp);
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index 7ec4727c4d..f8a7dfe840 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -154,6 +154,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
unsigned char *p;
ext_len = method->i2d(ext_struc, NULL);
+ if (ext_len <= 0)
+ goto merr;
if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
goto merr;
p = ext_der;
diff --git a/crypto/x509/v3_ia5.c b/crypto/x509/v3_ia5.c
index c1204eb8fa..6722b6c01f 100644
--- a/crypto/x509/v3_ia5.c
+++ b/crypto/x509/v3_ia5.c
@@ -29,7 +29,7 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
{
char *tmp;
- if (ia5 == NULL || ia5->length == 0)
+ if (ia5 == NULL || ia5->length <= 0)
return NULL;
if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c
index 2e6e7e9f9b..1d371c4761 100644
--- a/crypto/x509/x509spki.c
+++ b/crypto/x509/x509spki.c
@@ -58,7 +58,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
unsigned char *der_spki, *p;
char *b64_str;
int der_len;
+
der_len = i2d_NETSCAPE_SPKI(spki, NULL);
+ if (der_len <= 0)
+ return NULL;
der_spki = OPENSSL_malloc(der_len);
b64_str = OPENSSL_malloc(der_len * 2);
if (der_spki == NULL || b64_str == NULL) {
More information about the openssl-commits
mailing list