[openssl-dev] [openssl.org #4375] [PATCH] Missing Sanity Checks for OPENSSL_malloc() in OpenSSL-1.0.2g
Bill Parker via RT
rt at openssl.org
Thu Mar 3 20:57:11 UTC 2016
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file
'ssl_ciph.c', in function ''SSL_COMP_add_compression_method()'',
there is a call to OPENSSL_malloc() which is not checked for a
return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- ssl_ciph.c.orig 2016-03-02 17:39:01.677826126 -0800
+++ ssl_ciph.c 2016-03-02 17:40:51.942840242 -0800
@@ -1996,6 +1996,8 @@
MemCheck_off();
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp == NULL)
+ return 1;
comp->id = id;
comp->method = cm;
load_builtin_compressions();
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/bio', file
'bss_rtcp.c', in function 'rtcp_new()', there is a call to
OPENSSL_malloc() which is not checked for a return value of NULL,
indicating failure.
The patch file below should address/correct this issue:
--- bss_rtcp.c.orig 2016-03-02 15:25:08.307826108 -0800
+++ bss_rtcp.c 2016-03-02 15:25:47.326785217 -0800
@@ -170,6 +170,8 @@
bi->num = 0;
bi->flags = 0;
bi->ptr = OPENSSL_malloc(sizeof(struct rpc_ctx));
+ if (bi->ptr == NULL)
+ return (0);
ctx = (struct rpc_ctx *)bi->ptr;
ctx->filled = 0;
ctx->pos = 0;
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'apps', file
'apps.c', in function 'args_from_file()', there is a call to
OPENSSL_malloc() which is not checked for a return value of NULL,
indicating failure.
The patch file below should address/correct this issue:
--- apps.c.orig 2016-03-02 15:27:24.293109138 -0800
+++ apps.c 2016-03-02 15:27:48.108135906 -0800
@@ -215,7 +215,8 @@
if (arg != NULL)
OPENSSL_free(arg);
arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
-
+ if (arg == NULL)
+ return (0);
*argv = arg;
num = 0;
p = buf;
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/x509', file
'by_dir.c', in function 'get_cert_by_subject()', there is a call to
OPENSSL_malloc() which is not checked for a return value of NULL,
indicating failure.
The patch file below should address/correct this issue:
--- by_dir.c.orig 2016-03-02 15:29:32.361385958 -0800
+++ by_dir.c 2016-03-02 15:30:04.762503973 -0800
@@ -401,6 +401,10 @@
}
if (!hent) {
hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
+ if (hent == NULL) {
+ X509err(X509_F_GET_CERT_BY_SUBJECT,
ERR_R_MALLOC_FAILURE);
+ goto finish;
+ }
hent->hash = h;
hent->suffix = k;
if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'engines', file
'e_capi.c', in function 'capi_get_provname()', there is a call to
OPENSSL_malloc() or alloca() which is not checked for a return value
of NULL, indicating failure.
In function 'capi_cert_get_fname()', there is a call to OPENSSL_malloc()
which is not checked for a return value of NULL, indicating failure.
In function '*capi_get_key()', there is a call to OPENSSL_malloc()
which is not checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- e_capi.c.orig 2016-03-02 15:31:15.011432251 -0800
+++ e_capi.c 2016-03-02 15:35:24.264110984 -0800
@@ -1106,6 +1106,10 @@
name = alloca(len);
else
name = OPENSSL_malloc(len);
+ if (name == NULL) {
+ CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) {
err = GetLastError();
if (err == ERROR_NO_MORE_ITEMS)
@@ -1286,6 +1290,10 @@
(cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen))
return NULL;
wfname = OPENSSL_malloc(dlen);
+ if (wfname == NULL) {
+ CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, ERR_R_MALLOC_FAILURE);
+ return NULL;
+ }
if (CertGetCertificateContextProperty
(cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) {
char *fname = wide_to_asc(wfname);
@@ -1436,6 +1444,11 @@
CAPI_KEY *key;
DWORD dwFlags = 0;
key = OPENSSL_malloc(sizeof(CAPI_KEY));
+ if (key == NULL) {
+ CAPIerr(CAPI_F_CAPI_GET_KEY, ERR_R_MALLOC_FAILURE);
+ capi_addlasterror();
+ goto err;
+ }
if (sizeof(TCHAR) == sizeof(char))
CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s,
type=%d\n",
contname, provname, ptype);
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/jpake', file
'jpake.c', in function 'PAKE_CTX_new()', there is a call to
OPENSSL_malloc() or alloca() which is not checked for a return value
of NULL, indicating failure.
In function 'hashbn()', there is a call to OPENSSL_malloc()
which is not checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- jpake.c.orig 2016-03-02 16:33:13.494032268 -0800
+++ jpake.c 2016-03-02 16:34:37.809748362 -0800
@@ -116,6 +116,8 @@
const BIGNUM *secret)
{
JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx);
+ if (ctx == NULL)
+ return NULL;
JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret);
@@ -150,6 +152,8 @@
{
size_t l = BN_num_bytes(bn);
unsigned char *bin = OPENSSL_malloc(l);
+ if (bin == NULL)
+ return NULL; /* oops, memory allocation failed... */
hashlength(sha, l);
BN_bn2bin(bn, bin);
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file
't1_lib.c', in function 'tls1_process_heartbeat()', there is a call to
OPENSSL_malloc() which is not checked for a return value of NULL,
indicating failure.
In function 'tls1_heartbeat()', there is a call to OPENSSL_malloc()
which is not checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- t1_lib.c.orig 2016-03-02 17:59:59.042630727 -0800
+++ t1_lib.c 2016-03-02 18:01:33.275607253 -0800
@@ -3856,6 +3856,8 @@
* plus 2 bytes payload length, plus payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+ if (!buffer)
+ return -1;
bp = buffer;
/* Enter response type, length and copy payload */
@@ -3942,6 +3944,8 @@
* - Padding
*/
buf = OPENSSL_malloc(1 + 2 + payload + padding);
+ if (!buf)
+ return -1;
p = buf;
/* Message Type */
*p++ = TLS1_HB_REQUEST;
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file
'asn_mime.c', in function 'multi_split()', there is a call to
BIO_new() which is not checked for a return value of NULL, indicating
failure.
The patch file below should address/correct this issue:
--- asn_mime.c.orig 2016-03-03 09:50:57.496613461 -0800
+++ asn_mime.c 2016-03-03 09:52:36.254165038 -0800
@@ -623,6 +623,8 @@
if (bpart)
sk_BIO_push(parts, bpart);
bpart = BIO_new(BIO_s_mem());
+ if (!bpart)
+ return 1;
BIO_set_mem_eof_return(bpart, 0);
} else if (eol)
BIO_write(bpart, "\r\n", 2);
=======================================================================
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file
'pk7_doit.c', in function 'PKCS7_dataDecode()', there is a call to
BIO_new() which is not checked for a return value of NULL, indicating
failure.
The patch file below should address/correct this issue:
--- pk7_doit.c.orig 2016-03-03 10:08:08.316625383 -0800
+++ pk7_doit.c 2016-03-03 10:09:19.093620776 -0800
@@ -642,6 +642,8 @@
} else {
# if 0
bio = BIO_new(BIO_s_mem());
+ if (bio == NULL)
+ goto err;
/*
* We need to set this so that when we have read all the data, the
* encrypt BIO, if present, will read EOF and encode the last few
=======================================================================
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4375
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_ciph.c.patch
Type: application/octet-stream
Size: 323 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0009.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apps.c.patch
Type: application/octet-stream
Size: 315 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0010.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: by_dir.c.patch
Type: application/octet-stream
Size: 472 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0011.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bss_rtcp.c.patch
Type: application/octet-stream
Size: 339 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0012.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: e_capi.c.patch
Type: application/octet-stream
Size: 1238 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0013.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jpake.c.patch
Type: application/octet-stream
Size: 555 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0014.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: t1_lib.c.patch
Type: application/octet-stream
Size: 582 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0015.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asn_mime.c.patch
Type: application/octet-stream
Size: 408 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0016.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pk7_doit.c.patch
Type: application/octet-stream
Size: 384 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160303/2d1d0600/attachment-0017.obj>
More information about the openssl-dev
mailing list