[openssl-dev] [openssl.org #4160] Candidate bug, malloc failure related issues in s3_enc.c, hm_pmeth.c
Trevor Larock via RT
rt at openssl.org
Sun Nov 29 11:09:35 UTC 2015
Hi folks,
Can I ask about malloc failure handling issues, seems affecting OpenSSL 1.0.1p and 1.0.2d,
1. In s3_enc.c::ssl3_digest_cached_records, we have the below code.
s->s3->handshake_dgst =
OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
We are not checking for the return value of the malloc resulting in a straight null dereference in the memset.
2. In hm_pmeth.c::pkey_hmac_cleanup
HMAC_PKEY_CTX *hctx = ctx->data;
HMAC_CTX_cleanup(&hctx->ctx);
Using hctx when it can be NULL. We could have failed to allocate ctx->data in int_ctx_new which calls pmeth->init (alloc can return error here).
Thanks
Trev
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list