[openssl-dev] [openssl.org #3816] Call of memcmp with null pointers in obj_cmp()

Hanno Boeck via RT rt at openssl.org
Tue Apr 21 07:00:50 UTC 2015


The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.

This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem

What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.

Attached patch will check for zero-sized objects and won't call memcmp
on them.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-fix-obj_cmp-memcmp-nullptr.diff
Type: text/x-patch
Size: 417 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150421/ccc332a8/attachment.bin>


More information about the openssl-dev mailing list