[openssl-dev] [openssl.org #4404] [PATCH] Missing Sanity Check for OPENSSL_strdup() in OpenSSL-1.1 pre-4
Bill Parker via RT
rt at openssl.org
Wed Mar 9 18:05:25 UTC 2016
Hello All,
In reviewing code in directory 'crypto/conf', file 'conf_mod.c',
there is a call to OPENSSL_strdup() which is not checked for a
return value of NULL, indicating failure.
The patch file below adds the test, and releases the previously allocated
memory assigned to 'tmod':
--- conf_mod.c.orig 2016-03-08 18:05:52.017031376 -0800
+++ conf_mod.c 2016-03-08 18:08:22.865203402 -0800
@@ -284,6 +284,10 @@
tmod->dso = dso;
tmod->name = OPENSSL_strdup(name);
+ if (tmod->name == NULL) {
+ OPENSSL_free(tmod);
+ return NULL;
+ }
tmod->init = ifunc;
tmod->finish = ffunc;
=======================================================================
Bill Parker (wp02855 at gmail dot com)
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4404
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl11-conf_mod.c.patch
Type: application/octet-stream
Size: 321 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160309/7f7d3eef/attachment.obj>
More information about the openssl-dev
mailing list