[openssl-dev] [openssl.org #4585] some bugs in ver.1.0.2d (fix)
石磊 via RT
rt at openssl.org
Thu Jun 23 11:59:54 UTC 2016
Hi,
Recently, I found some bugs in ver.1.0.2d.
DESCRIPTION
_____
1. Line 122 in a_enum.c: return (0xffffffffL);
I think it should be "return -1;".
2. Line 149 in a_enum.c: if (BN_is_negative(bn))
I think it should be "if (BN_is_negative(bn) && !BN_is_zero(bn))".
3. Line 161 and line 164 in f_string.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = (unsigned char *)OPENSSL_realloc(s, (unsigned int)num + i * 2);
Allocation "num + i" is enough.
4. Function a2i_ASN1_STRING in f_string.c.
The processing of the contents containing "\\" is not correct.
5. Function a2i_ASN1_STRING in f_string.c.
There is a memory leak when the content like "1234567\\\r\n890".
6. Line 155 and line 158 in f_enum.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = (unsigned char *)OPENSSL_realloc(s, (unsigned int)num + i * 2);
Allocation "num + i" is enough.
7. Function a2i_ASN1_ENUMERATED in f_enum.c.
The processing of the contents containing "\\" is not correct.
8. Function a2i_ASN1_ENUMERATED in f_enum.c.
There is a memory leak when the content like "1234567\\\r\n890".
9. Line 169 and line 172 in f_int.c:
sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + i * 2);
sp = sp = OPENSSL_realloc_clean(s, slen, num + i * 2);
Allocation "num + i" is enough.
10. Function a2i_ASN1_INTEGER in f_int.c.
The processing of the contents containing "\\" is not correct.
11. Function a2i_ASN1_INTEGER in f_int.c.
There is a memory leak when the content like "1234567\\\r\n890".
12. Line 226 in t1_ext.c:
exts->meths = OPENSSL_realloc(exts->meths, (exts->meths_count + 1) * sizeof(custom_ext_method));
There's a risk of memory leaks.
13. Line 896 in ssl_rsa.c:
ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo, serverinfo_length);
There's a risk of memory leaks.
14. Line 979 in ssl_rsa.c:
serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
There's a risk of memory leaks.
15. Line 366 in openbsd_hw.c:
md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);
There's a risk of memory leaks.
16. Line 812 in eng_cryptodev.c:
state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count);
There's a risk of memory leaks.
17. Line 899 in b_sock.c: p = OPENSSL_realloc(p, nl);
There's a risk of memory leaks.
18. Line 724 in b_print.c: *buffer = OPENSSL_realloc(*buffer, *maxlen);
There's a risk of memory leaks.
19. Line 117 in engine.c: *buf = OPENSSL_realloc(*buf, *size);
There's a risk of memory leaks.
Thanks,
Shi Lei / Qihoo 360 Inc.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4585
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list