[openssl-dev] [openssl.org #3903] Infer run on openssl-1.0.2a
Jules Villard via RT
rt at openssl.org
Thu Jun 11 22:44:24 UTC 2015
Hello,
The following 13 potential null-pointer dereference bugs were found by
running Facebook's Infer static analyzer on openssl-1.0.2a. You can
reproduce these reports by downloading Infer and running it like so:
https://fbinfer.org/docs/getting-started.html
cd openssl-1.0.2a
./config && make clean
infer -- make
inferTraceBugs
The last command allows you to see more information about each report,
in particular symbolic traces that lead to the bug.
- apps/srp.c at line 149: NULL_DEREFERENCE
pointer pp last assigned on line 148 could be null and is dereferenced at line 149, column 43
apps/srp.c at line 166: NULL_DEREFERENCE
pointer pp last assigned on line 164 could be null and is dereferenced at line 166, column 13
The functions print_entry and print_user don't check that
db->data->data is not NULL, hence sk_OPENSSL_PSTRING_value could
return NULL.
Additional note: the test is slightly different in both cases:
"verbose > 0" for print_user vs "indx >= 0 && verbose" for
print_entry.
- apps/x509.c at line 1108: NULL_DEREFERENCE
pointer upkey last assigned on line 1107 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1108, column 5
Calling x509_certify() with xca == NULL or xca->cert_info == NULL
makes X509_get_pubkey() return NULL, which triggers a NULL
dereference in EVP_PKEY_copy_parameters().
Additional note: the return value of X509_get_pubkey() is checked
for NULL elsewhere in the codebase, eg, in apps/ca.c:1597.
- apps/x509.c at line 1220: NULL_DEREFERENCE
pointer pktmp last assigned on line 1219 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1220, column 5
Similar to the previous one.
- crypto/mem_dbg.c at line 647: NULL_DEREFERENCE
pointer lcl last assigned on line 644 could be null and is dereferenced at line 647, column 22
localtime(3) can return NULL in case of error.
- crypto/objects/o_names.c at line 105: NULL_DEREFERENCE
pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 105, column 9
crypto/objects/o_names.c at line 107: NULL_DEREFERENCE
pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 107, column 9
crypto/objects/o_names.c at line 109: NULL_DEREFERENCE
pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 109, column 9
If the names_type_num < 0 or if name_type_num >=
name_funcs_stack->num, then name_funcs is assigned to NULL on
line 103. These ones may be false positives, as it looks like that
this can never be the case in that file.
- crypto/pkcs7/pk7_doit.c at line 1149: NULL_DEREFERENCE
pointer ri last assigned on line 1148 could be null and is dereferenced at line 1149, column 12
If PKCS7_get_issuer_and_serial() is called with idx < 0 then the
execution gets to the last call to sk_PKCS7_RECIP_INFO_value(),
which returns NULL.
- crypto/x509/x509_cmp.c at line 410: NULL_DEREFERENCE
pointer x last assigned on line 405 could be null and is dereferenced at line 410, column 55
If X509_chain_check_suiteb() is called with chain == NULL, then the
call to sk_X509_value() on line 410 will assign NULL to x. Line 410
is X509_get_version(x), which dereferences x without checking for
NULL.
- crypto/x509/x509_req.c at line 125: NULL_DEREFERENCE
pointer xk last assigned on line 124 could be null and is dereferenced by call to EVP_PKEY_cmp() at line 125, column 13
If X509_REQ_check_private_key() is called with x == NULL, then xk
will get NULL on line 124.
- crypto/x509/x509_req.c at line 204: NULL_DEREFERENCE
pointer attr last assigned on line 203 could be null and is dereferenced at line 204, column 13
In X509_REQ_get_extensions(), the call to X509_REQ_get_attr_by_NID()
may return -2 as an error code, but the caller checks for -1
instead. This results in an NPE a few lines down, as the -2 is
passed to X509_REQ_get_attr(), which sees that idx is invalid and
returns NULL. Then attr == NULL is dereferenced by attr->single in
the condition of the if statement on the next line.
- crypto/x509/x509_lu.c at line 311: NULL_DEREFERENCE
pointer lu last assigned on line 310 could be null and is dereferenced by call to X509_LOOKUP_by_subject() at line 311, column 17
If vs->ctx->get_cert_methods is NULL then sk_X509_LOOKUP_num()
returns -1 in the condition of the for loop. Then, if
vs->current_method < -1 we still enter the body of the loop. Then lu
gets assigned to NULL by sk_X509_LOOKUP_value.
Best regards,
Jules Villard
Facebook Static Analysis Tools Team
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list