[openssl-dev] [openssl.org #3976] Bug report
Stuart, Harold via RT
rt at openssl.org
Sat Aug 1 02:07:20 UTC 2015
The cryptographic engineering team at Blue Coat systems is conducting a review of OpenSSL and have found the following minor bug. We would appreciate your consideration.
Observe the following lines in evp_enc.c:
if (in->cipher_data && in->cipher->ctx_size) {
out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
if (!out->cipher_data) {
EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
return 0;
}
memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
}
if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
Note that in->cipher data is checked for NULL, which implies that in->cipher_data can be NULL. Now, take a look at function ads_ccm_ctrl, which is what in->cipher_ctrl points to:
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
EVP_AES_CCM_CTX *cctx = c->cipher_data;
switch (type) {
case EVP_CTRL_INIT:
cctx->key_set = 0;
cctx->iv_set = 0;
cctx->L = 8;
cctx->M = 12;
cctx->tag_set = 0;
cctx->len_set = 0;
return 1;
Note that c->cipher_data has been dereferenced, even though it may be NULL.
Thanks,
Harold Stuart
Senior Staff Engineer
Blue Coat Systems, Inc.
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list