[openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476)

Bill Parker via RT rt at openssl.org
Fri Mar 4 17:33:58 UTC 2016


Hello All,

In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c',
there is a call to OPENSSL_realloc() which is NOT checked for a return
value of NULL, indicating failure.  However, the statement after this
is memcpy(), which if the destination variable is NULL, will result
in a segmentation fault/violation.

The patch file below should address/correct this issue:

--- openbsd_hw.c.orig   2016-03-02 15:36:57.236927351 -0800
+++ openbsd_hw.c        2016-03-03 18:56:58.169567807 -0800
@@ -364,6 +378,10 @@
         return do_digest(md_data->sess.ses, md_data->md, data, len);

     md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);
+    if (md_data->data == NULL) {
+       err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory");
+       return 0;
+    }
     memcpy(md_data->data + md_data->len, data, len);
     md_data->len += len;

=======================================================================

Bill Parker (wp02855 at gmail dot com)

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: realloc_openbsd_hw.c.patch
Type: application/octet-stream
Size: 471 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160304/47626313/attachment.obj>


More information about the openssl-dev mailing list