[openssl-dev] [openssl.org #4370] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)
Bill Parker via RT
rt at openssl.org
Wed Mar 2 17:24:49 UTC 2016
Hello All,
In reviewing source code in directory 'openssl-1.0.2g/apps', in file
'ca.c', there are a few instances where OPENSSL_malloc() is called, but
immediately afterwards a call to memcpy() is made with the return value
from the call, but the check for NULL is made AFTER the memcpy().
However, if the 1st argument to memcpy() is NULL, a segmentation fault/
violation will occur. The patch file below should address/correct this
issue:
--- ca.c.orig 2016-03-01 18:08:42.795466224 -0800
+++ ca.c 2016-03-01 18:13:10.149445540 -0800
@@ -2107,6 +2107,10 @@
tm = X509_get_notAfter(ret);
row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+ if (row[DB_exp_date] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto err;
+ }
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
@@ -2116,7 +2120,7 @@
row[DB_file] = (char *)OPENSSL_malloc(8);
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+ if ((row[DB_type] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto err;
@@ -2375,6 +2379,10 @@
tm = X509_get_notAfter(x509);
row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+ if (row[DB_exp_date] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto err;
+ }
memcpy(row[DB_exp_date], tm->data, tm->length);
row[DB_exp_date][tm->length] = '\0';
@@ -2385,8 +2393,7 @@
/* row[DB_name] done already */
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
- (row[DB_file] == NULL)) {
+ if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto err;
}
=======================================================================
In directory 'openssl-1.0.2g/crypto/engine', file 'eng_cryptodev.c',
there is a call to OPENSSL_malloc() in function 'cryptodev_digest_copy()'
where the return value is not checked for NULL, but immediately afterwards
the statement:
memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
is processed, but if dstate->mac_data is NULL, this will cause a
segmentation
fault/violation.
The patch file below should address/correct this issue:
--- eng_cryptodev.c.orig 2016-03-01 19:31:03.315380900 -0800
+++ eng_cryptodev.c 2016-03-01 19:32:43.154069884 -0800
@@ -937,6 +937,10 @@
if (fstate->mac_len != 0) {
if (fstate->mac_data != NULL) {
dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+ if (dstate->mac_data == NULL) {
+ printf("cryptodev_digest_init: Memory allocation failed\n");
+ return (0);
+ }
memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
dstate->mac_len = fstate->mac_len;
}
=======================================================================
In directory 'openssl-1.0.2g/crypto/x509v3', in file 'v3_alt.c', there
is a call to OPENSSL_malloc() which is not checked for a return value
of NULL, indicating failure in function 'static int do_othername()',
but immediately afterwards the statement:
strncpy(objtmp, value, objlen);
is processed, but if 'objtmp' is NULL, this will generate a segmentation
fault/violation:
The patch file below should address/correct this issue:
--- v3_alt.c.orig 2016-03-01 19:51:02.114742135 -0800
+++ v3_alt.c 2016-03-01 19:51:52.816186027 -0800
@@ -573,6 +573,8 @@
return 0;
objlen = p - value;
objtmp = OPENSSL_malloc(objlen + 1);
+ if (objtmp == NULL)
+ return 0;
strncpy(objtmp, value, objlen);
objtmp[objlen] = 0;
gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
=======================================================================
In directory 'openssl-1.0.2g/crypto/ui', in file 'ui_lib.c', there
is a call to OPENSSL_malloc() which is not checked for a return value
of NULL, indicating failure, but immediately afterwards the statement:
BUF_strlcpy(prompt, prompt1, len + 1);
is processed, but if 'prompt' is NULL, this will generate a segmentation
fault/violation:
The patch file below should address/correct this issue:
--- ui_lib.c.orig 2015-09-12 09:05:14.193000000 -0700
+++ ui_lib.c 2015-09-12 09:56:53.328000000 -0700
@@ -413,6 +413,9 @@
len += sizeof(prompt3) - 1;
prompt = (char *)OPENSSL_malloc(len + 1);
+ if (prompt == NULL) {
+ return NULL;
+ }
BUF_strlcpy(prompt, prompt1, len + 1);
BUF_strlcat(prompt, object_desc, len + 1);
if (object_name) {
=======================================================================
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4370
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ui_lib.c.patch
Type: application/octet-stream
Size: 388 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160302/13a2b9ba/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v3_alt.c.patch
Type: application/octet-stream
Size: 374 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160302/13a2b9ba/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eng_cryptodev.c.patch
Type: application/octet-stream
Size: 535 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160302/13a2b9ba/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca.c.patch
Type: application/octet-stream
Size: 1502 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160302/13a2b9ba/attachment-0003.obj>
More information about the openssl-dev
mailing list