[openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476)
Yuriy M. Kaminskiy via RT
rt at openssl.org
Tue Mar 8 00:49:56 UTC 2016
On 04.03.2016 20:33, Bill Parker via RT wrote:
> In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c',
> there is a call to OPENSSL_realloc() which is NOT checked for a return
> value of NULL, indicating failure. However, the statement after this
> is memcpy(), which if the destination variable is NULL, will result
> in a segmentation fault/violation.
>
> The patch file below should address/correct this issue:
>
> --- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800
> +++ openbsd_hw.c 2016-03-03 18:56:58.169567807 -0800
> @@ -364,6 +378,10 @@
> return do_digest(md_data->sess.ses, md_data->md, data, len);
>
> md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);
> + if (md_data->data == NULL) {
> + err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory");
> + return 0;
> + }
> memcpy(md_data->data + md_data->len, data, len);
> md_data->len += len;
1) After return, it leaves with md_data->data = NULL and (possibly)
md_data->len > 0, so next call to *update or *final will segfault.
2) Leaks old data that was pointed by md_data.
P.S. md5, 3des and rc4. At least, it is not in master already.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list