In message <cah8yc8mpmuxmnjdhxf0-fsiu0fjsgwxcpjggipup06w8w83...@mail.gmail.com> on Fri, 25 May 2012 11:39:05 -0400, Jeffrey Walton <noloa...@gmail.com> said:
noloader> Perhaps I'm looking at the wrong free function (or I'm not noloader> reading/deducing correct behavior), but it looks like a double free to noloader> me: noloader> noloader> void CRYPTO_free(void *str) noloader> { noloader> if (free_debug_func != NULL) noloader> free_debug_func(str, 0); noloader> #ifdef LEVITTE_DEBUG noloader> fprintf(stderr, "LEVITTE_DEBUG: < 0x%p\n", str); noloader> #endif noloader> free_func(str); noloader> if (free_debug_func != NULL) noloader> free_debug_func(NULL, 1); noloader> } noloader> noloader> Regarding parameter validation, below is a perfect example since free noloader> (from above) does not appear to include a size. Why would it include a size? noloader> Are implementations verifying `num` is not less than 0 since noloader> it is defined as an integer? Its clear the OpenSSL code is noloader> not verifying its parameters. What's not clear to me is why noloader> one can even specify a negative size. noloader> noloader> void *CRYPTO_malloc(int num, const char *file, int line) noloader> { noloader> void *ret = NULL; noloader> noloader> allow_customize = 0; noloader> if (malloc_debug_func != NULL) noloader> { noloader> allow_customize_debug = 0; noloader> malloc_debug_func(NULL, num, file, line, 0); noloader> } noloader> ret = malloc_func(num); noloader> #ifdef LEVITTE_DEBUG noloader> fprintf(stderr, "LEVITTE_DEBUG: > 0x%p (%d)\n", ret, num); noloader> #endif noloader> if (malloc_debug_func != NULL) noloader> malloc_debug_func(ret, num, file, line, 1); noloader> noloader> return ret; noloader> } It's correct that CRYPTO_malloc(), CRYPTO_realloc() and CRYPTO_free() don't verify the parameters, they are just wrappers around the real memory routines (malloc(), realloc() and free() by default), and rely on those to verify parameters as they see fit. Cheers, Richard -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ "Life is a tremendous celebration - and I'm invited!" -- from a friend's blog, translated from Swedish ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org