The branch OpenSSL_1_1_0-stable has been updated
via 57106f55a5de6186af4ff78484d99528a6935be4 (commit)
via 05f754f6a6a2aaceef18069a6ce11aacdb86c84c (commit)
from 322b739be5cae8b6cfb55e51d59c2f828ae3a993 (commit)
- Log -----------------------------------------------------------------
commit 57106f55a5de6186af4ff78484d99528a6935be4
Author: Matt Caswell <m...@openssl.org>
Date: Thu Sep 8 11:06:29 2016 +0100
Convert num_alloc to a size_t in stack.c and tweak style
We were casting num_alloc to size_t in lots of places, or just using it in
a context where size_t makes more sense - so convert it. This simplifies
the code a bit.
Also tweak the style in stack.c a bit following on from the previous
commit
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 9205ebeb8e448b2d6948b9e5d78ecf309c0ed33c)
commit 05f754f6a6a2aaceef18069a6ce11aacdb86c84c
Author: Guido Vranken <guidovran...@gmail.com>
Date: Thu Sep 8 10:43:37 2016 +0100
Prevent overflows in stack API
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 9731a9ce7d0f404d21ed418f9bc983b174e130cb)
-----------------------------------------------------------------------
Summary of changes:
crypto/stack/stack.c | 53 +++++++++++++++++++++++++++++++++++++---------------
1 file changed, 38 insertions(+), 15 deletions(-)
diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c
index acd350a..1d01936 100644
--- a/crypto/stack/stack.c
+++ b/crypto/stack/stack.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/numbers.h"
#include <openssl/stack.h>
#include <openssl/objects.h>
@@ -16,7 +17,7 @@ struct stack_st {
int num;
const char **data;
int sorted;
- int num_alloc;
+ size_t num_alloc;
OPENSSL_sk_compfunc comp;
};
@@ -40,6 +41,9 @@ OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk)
{
OPENSSL_STACK *ret;
+ if (sk->num < 0)
+ return NULL;
+
if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
return NULL;
@@ -62,13 +66,16 @@ OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,
OPENSSL_STACK *ret;
int i;
+ if (sk->num < 0)
+ return NULL;
+
if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL)
return NULL;
/* direct structure assignment */
*ret = *sk;
- ret->num_alloc = sk->num > MIN_NODES ? sk->num : MIN_NODES;
+ ret->num_alloc = sk->num > MIN_NODES ? (size_t)sk->num : MIN_NODES;
ret->data = OPENSSL_zalloc(sizeof(*ret->data) * ret->num_alloc);
if (ret->data == NULL) {
OPENSSL_free(ret);
@@ -113,28 +120,44 @@ OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_compfunc c)
int OPENSSL_sk_insert(OPENSSL_STACK *st, const void *data, int loc)
{
- const char **s;
-
- if (st == NULL)
+ if (st == NULL || st->num < 0 || st->num == INT_MAX) {
return 0;
- if (st->num_alloc <= st->num + 1) {
- s = OPENSSL_realloc((char *)st->data,
- (unsigned int)sizeof(char *) * st->num_alloc * 2);
- if (s == NULL)
- return (0);
- st->data = s;
- st->num_alloc *= 2;
}
- if ((loc >= (int)st->num) || (loc < 0))
+
+ if (st->num_alloc <= (size_t)(st->num + 1)) {
+ size_t doub_num_alloc = st->num_alloc * 2;
+
+ /* Overflow checks */
+ if (doub_num_alloc < st->num_alloc)
+ return 0;
+
+ /* Avoid overflow due to multiplication by sizeof(char *) */
+ if (doub_num_alloc > SIZE_MAX / sizeof(char *))
+ return 0;
+
+ st->data = OPENSSL_realloc((char *)st->data,
+ sizeof(char *) * doub_num_alloc);
+ if (st->data == NULL) {
+ /*
+ * Reset these counters to prevent subsequent operations on
+ * (now non-existing) heap memory
+ */
+ st->num_alloc = 0;
+ st->num = 0;
+ return 0;
+ }
+ st->num_alloc = doub_num_alloc;
+ }
+ if ((loc >= st->num) || (loc < 0)) {
st->data[st->num] = data;
- else {
+ } else {
memmove(&st->data[loc + 1], &st->data[loc],
sizeof(st->data[0]) * (st->num - loc));
st->data[loc] = data;
}
st->num++;
st->sorted = 0;
- return (st->num);
+ return st->num;
}
void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *st, const void *p)
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
