[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)

Bill Parker via RT rt at openssl.org
Mon Mar 7 17:53:26 UTC 2016

Hello All,

In reviewing code in directory 'engines', file 'e_aep.c', there is a
call to function 'bn_expand()', but it is not checked for a return
value of NULL.  However, a member of the variable 'bn' (bn->d) are used in
memset()/memcpy() calls, but if 'bn' is NULL, a segmentation fault/violation
will occur.

The patch file below checks for a NULL return from 'bn_expand()', but
I was not sure what should be returned from here (so I kludged something
to fit):

--- e_aep.c.orig        2016-03-06 10:47:23.113646348 -0800
+++ e_aep.c     2016-03-06 10:52:27.991394742 -0800
@@ -1137,7 +1137,9 @@
      * Expand the result bn so that it can hold our big num. Size is in
-    bn_expand(bn, (int)(BigNumSize << 3));
+    if (!bn_expand(bn, (int)(BigNumSize << 3)) == NULL)
+       /* what should we do here, a new error code, etc? */
+       return 117; /*  bn_expand could return NULL, could it not? */

     bn->top = BigNumSize >> 3;

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: e_aep.c.patch
Type: application/octet-stream
Size: 501 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160307/fc5d0a88/attachment.obj>

More information about the openssl-dev mailing list