[openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c'
Bill Parker via RT
rt at openssl.org
Wed Mar 2 17:24:49 UTC 2016
Hello All,
In reviewing source code for OpenSSL-1.0.2g, it would appear in file
'apps/speed.c', in function 'static int do_multi()', a call to malloc()
is made without being tested for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- speed.c.orig 2016-03-01 18:19:44.213529059 -0800
+++ speed.c 2016-03-01 18:21:24.822315918 -0800
@@ -2614,6 +2614,10 @@
static char sep[] = ":";
fds = malloc(multi * sizeof *fds);
+ if (fds == NULL) {
+ fprintf(stderr, "out of memory\n");
+ exit(1);
+ }
for (n = 0; n < multi; ++n) {
if (pipe(fd) == -1) {
fprintf(stderr, "pipe failure\n");
Should the call to malloc() be changed to OPENSSL_malloc() as well?
Bill Parker (wp02855 at gmail dot com)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4371
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: speed.c.patch
Type: application/octet-stream
Size: 390 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160302/6bbf0982/attachment.obj>
More information about the openssl-dev
mailing list