Re: Custom free routine is invoked with NULL argument in openssl 1.0.1

Sat, 26 May 2012 03:41:37 -0700 

In message <cah8yc8mpmuxmnjdhxf0-fsiu0fjsgwxcpjggipup06w8w83...@mail.gmail.com> 
on Fri, 25 May 2012 11:39:05 -0400, Jeffrey Walton <noloa...@gmail.com> said:

noloader> Perhaps I'm looking at the wrong free function (or I'm not
noloader> reading/deducing correct behavior), but it looks like a double free to
noloader> me:
noloader> 
noloader> void CRYPTO_free(void *str)
noloader> {
noloader>     if (free_debug_func != NULL)
noloader>         free_debug_func(str, 0);
noloader> #ifdef LEVITTE_DEBUG
noloader>     fprintf(stderr, "LEVITTE_DEBUG:         < 0x%p\n", str);
noloader> #endif
noloader>     free_func(str);
noloader>     if (free_debug_func != NULL)
noloader>         free_debug_func(NULL, 1);
noloader> }
noloader> 
noloader> Regarding parameter validation, below is a perfect example since free
noloader> (from above) does not appear to include a size.

Why would it include a size?

noloader> Are implementations verifying `num` is not less than 0 since
noloader> it is defined as an integer?  Its clear the OpenSSL code is
noloader> not verifying its parameters. What's not clear to me is why
noloader> one can even specify a negative size.
noloader> 
noloader> void *CRYPTO_malloc(int num, const char *file, int line)
noloader> {
noloader>     void *ret = NULL;
noloader> 
noloader>     allow_customize = 0;
noloader>     if (malloc_debug_func != NULL)
noloader>     {
noloader>         allow_customize_debug = 0;
noloader>         malloc_debug_func(NULL, num, file, line, 0);
noloader>     }
noloader>     ret = malloc_func(num);
noloader> #ifdef LEVITTE_DEBUG
noloader>     fprintf(stderr, "LEVITTE_DEBUG:         > 0x%p (%d)\n", ret, num);
noloader> #endif
noloader>     if (malloc_debug_func != NULL)
noloader>         malloc_debug_func(ret, num, file, line, 1);
noloader> 
noloader>     return ret;
noloader> }

It's correct that CRYPTO_malloc(), CRYPTO_realloc() and CRYPTO_free()
don't verify the parameters, they are just wrappers around the real
memory routines (malloc(), realloc() and free() by default), and rely
on those to verify parameters as they see fit.

Cheers,
Richard

-- 
Richard Levitte                         rich...@levitte.org
                                        http://richard.levitte.org/

"Life is a tremendous celebration - and I'm invited!"
-- from a friend's blog, translated from Swedish
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to