[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

Bill Parker via RT rt at openssl.org
Mon Mar 7 17:47:28 UTC 2016 

In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in
function 'do_create()', there is a call to 'OBJ_nid2obj()' which is
not checked for a return value of NULL.

The patch file below adds the check and returns 0 if NULL is returned:

--- asn_moid.c.orig     2016-03-06 17:09:03.019903938 -0800
+++ asn_moid.c  2016-03-06 17:09:41.778829998 -0800
@@ -146,6 +146,8 @@
         memcpy(lntmp, ln, p - ln);
         lntmp[p - ln] = 0;
         oid = OBJ_nid2obj(nid);
+       if (oid == NULL)
+           return 0;
         oid->ln = lntmp;
     }


=======================================================================

In reviewing code in directory 'crypto/asn1', file 'p5_pbev2.c', in
function 'PKCS5_pbe2_set_iv()' and 'PKCS5_pbkdf2_set(), there are calls
to 'OBJ_nid2obj()' which is not checked for a return value of NULL.

The patch file below adds the check and goes to merr: if NULL is returned:

--- p5_pbev2.c.orig     2016-03-06 17:21:56.612223544 -0800
+++ p5_pbev2.c  2016-03-06 17:23:25.049463462 -0800
@@ -105,6 +105,8 @@
         goto err;
     }
     obj = OBJ_nid2obj(alg_nid);
+    if (obj == NULL)
+       goto merr;

     if (!(pbe2 = PBE2PARAM_new()))
         goto merr;
@@ -169,6 +171,8 @@
         goto merr;

     ret->algorithm = OBJ_nid2obj(NID_pbes2);
+    if (ret->algorithm == NULL)
+       goto merr;

     /* Encode PBE2PARAM into parameter */

@@ -258,6 +262,8 @@
         goto merr;

     keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+    if (!keyfunc->algorithm)
+       goto merr;

     /* Encode PBKDF2PARAM into parameter of pbe2 */


=======================================================================

In reviewing code in directory 'crypto/asn1', file 'x_attrib.c', in
function 'X509_ATTRIBUTE_create()' there is a call to 'OBJ_nid2obj()'
which is not checked for a return value of NULL.

The patch file below adds the check and goes to err: if NULL is returned:

--- x_attrib.c.orig     2016-03-06 17:35:12.565385098 -0800
+++ x_attrib.c  2016-03-06 17:37:35.383536550 -0800
@@ -105,6 +105,8 @@
     if ((ret = X509_ATTRIBUTE_new()) == NULL)
         return (NULL);
     ret->object = OBJ_nid2obj(nid);
+    if (ret->object == NULL)
+       goto err;
     ret->single = 0;
     if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
         goto err;

=======================================================================

In reviewing code in directory 'crypto/asn1', file 'tasn_new.c', in
function 'ASN1_primitive_new()' there is a call to 'OBJ_nid2obj()'
which is not checked for a return value of NULL.

The patch file below adds the check and returns 0 if NULL is returned:

--- tasn_new.c.orig     2016-03-06 17:39:25.320508974 -0800
+++ tasn_new.c  2016-03-06 17:40:31.614934655 -0800
@@ -328,6 +328,8 @@
     switch (utype) {
     case V_ASN1_OBJECT:
         *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
+       if (!pval)
+           return 0;
         return 1;

     case V_ASN1_BOOLEAN:

=======================================================================

Bill Parker (wp02855 at gmail dot com)

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: asn_moid.c.patch
Type: application/octet-stream
Size: 294 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/c639b0bf/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: p5_pbev2.c.patch
Type: application/octet-stream
Size: 656 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/c639b0bf/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x_attrib.c.patch
Type: application/octet-stream
Size: 404 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/c639b0bf/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tasn_new.c.patch
Type: application/octet-stream
Size: 305 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/c639b0bf/attachment-0007.obj>

More information about the openssl-dev mailing list