The branch master has been updated via 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (commit) from 34ed73339602c361d09fe4233d65cef996356239 (commit)
- Log ----------------------------------------------------------------- commit 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 Author: Shane Lontis <shane.lon...@oracle.com> Date: Mon Apr 12 13:58:14 2021 +1000 Add more negative checks for integers passed to OPENSSL_malloc(). Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14830) ----------------------------------------------------------------------- Summary of changes: apps/lib/app_x509.c | 2 +- crypto/asn1/a_dup.c | 3 +++ crypto/asn1/a_int.c | 6 +++++- crypto/asn1/a_mbstr.c | 2 ++ crypto/asn1/bio_asn1.c | 2 +- crypto/asn1/p5_pbe.c | 2 ++ crypto/asn1/p5_pbev2.c | 2 ++ crypto/asn1/tasn_utl.c | 2 ++ crypto/bio/bf_buff.c | 10 +++++++--- crypto/bio/bf_lbuf.c | 4 +++- crypto/bio/bss_log.c | 2 ++ crypto/ess/ess_lib.c | 4 ++++ crypto/pkcs12/p12_mutl.c | 2 ++ crypto/pkcs12/p12_utl.c | 5 +++++ crypto/x509/t_x509.c | 2 ++ crypto/x509/v3_conf.c | 2 ++ crypto/x509/v3_ia5.c | 2 +- crypto/x509/x509spki.c | 3 +++ 18 files changed, 49 insertions(+), 8 deletions(-) diff --git a/apps/lib/app_x509.c b/apps/lib/app_x509.c index 00581aabbd..3d9e4fd697 100644 --- a/apps/lib/app_x509.c +++ b/apps/lib/app_x509.c @@ -26,7 +26,7 @@ static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n) if (v == NULL) { BIO_printf(bio_err, "error: allocation failed\n"); - } else if (!ASN1_OCTET_STRING_set(v, value, value_n)) { + } else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) { ASN1_OCTET_STRING_free(v); v = NULL; } diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c index bdefa448ec..263c8a0c5e 100644 --- a/crypto/asn1/a_dup.c +++ b/crypto/asn1/a_dup.c @@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x) return NULL; i = i2d(x, NULL); + if (i <= 0) + return NULL; + b = OPENSSL_malloc(i + 10); if (b == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 0fc469804d..19e41ec73e 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, ASN1_INTEGER *ret = NULL; const unsigned char *p; unsigned char *s; - long len; + long len = 0; int inf, tag, xclass; int i; @@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, goto err; } + if (len < 0) { + i = ASN1_R_ILLEGAL_NEGATIVE_VALUE; + goto err; + } /* * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies * a missing NULL parameter. diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 208a383af2..22dea873ee 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, len = strlen((const char *)in); if (!mask) mask = DIRSTRING_TYPE; + if (len < 0) + return -1; /* First do a string check and work out the number of characters */ switch (inform) { diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index dc99e2d7c2..19af059a2c 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b) static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size) { - if ((ctx->buf = OPENSSL_malloc(size)) == NULL) { + if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index b6388cd12f..fb43044822 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, } if (!saltlen) saltlen = PKCS5_SALT_LEN; + if (saltlen < 0) + goto err; sstr = OPENSSL_malloc(saltlen); if (sstr == NULL) { diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 738e3a0d10..1049f01905 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, kdf->salt->value.octet_string = osalt; kdf->salt->type = V_ASN1_OCTET_STRING; + if (saltlen < 0) + goto merr; if (saltlen == 0) saltlen = PKCS5_SALT_LEN; if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 12a6b15999..28a4b23aa4 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, return 1; OPENSSL_free(enc->enc); + if (inlen <= 0) + return 0; if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index 46eff55447..157bc3af45 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -289,7 +289,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_C_SET_BUFF_READ_DATA: if (num > ctx->ibuf_size) { - p1 = OPENSSL_malloc((int)num); + if (num <= 0) + return 0; + p1 = OPENSSL_malloc((size_t)num); if (p1 == NULL) goto malloc_error; OPENSSL_free(ctx->ibuf); @@ -318,12 +320,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) p1 = ctx->ibuf; p2 = ctx->obuf; if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) { - p1 = OPENSSL_malloc((int)num); + if (num <= 0) + return 0; + p1 = OPENSSL_malloc((size_t)num); if (p1 == NULL) goto malloc_error; } if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) { - p2 = OPENSSL_malloc((int)num); + p2 = OPENSSL_malloc((size_t)num); if (p2 == NULL) { if (p1 != ctx->ibuf) OPENSSL_free(p1); diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c index b1f8d68658..14e2e6613d 100644 --- a/crypto/bio/bf_lbuf.c +++ b/crypto/bio/bf_lbuf.c @@ -235,7 +235,9 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr) obs = (int)num; p = ctx->obuf; if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) { - p = OPENSSL_malloc((int)num); + if (num <= 0) + return 0; + p = OPENSSL_malloc((size_t)num); if (p == NULL) goto malloc_error; } diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index 1669948f27..23ba8aeb73 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -196,6 +196,8 @@ static int slg_write(BIO *b, const char *in, int inl) /* The default */ }; + if (inl < 0) + return 0; if ((buf = OPENSSL_malloc(inl + 1)) == NULL) { ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 96cb6d053f..ebfe5b93c7 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -223,6 +223,8 @@ int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) int len; len = i2d_ESS_SIGNING_CERT(sc, NULL); + if (len <= 0) + goto err; if ((pp = OPENSSL_malloc(len)) == NULL) { ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE); goto err; @@ -251,6 +253,8 @@ int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc) unsigned char *p, *pp = NULL; int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); + if (len <= 0) + goto err; if ((pp = OPENSSL_malloc(len)) == NULL) { ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index acf90051c4..70b3ec702b 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -234,6 +234,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, } if (!saltlen) saltlen = PKCS12_SALT_LEN; + if (saltlen < 0) + return 0; if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c index af5b628c0f..c3afb6aca1 100644 --- a/crypto/pkcs12/p12_utl.c +++ b/crypto/pkcs12/p12_utl.c @@ -21,6 +21,8 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, if (asclen == -1) asclen = strlen(asc); + if (asclen < 0) + return NULL; ulen = asclen * 2 + 2; if ((unitmp = OPENSSL_malloc(ulen)) == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE); @@ -44,9 +46,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen) { int asclen, i; char *asctmp; + /* string must contain an even number of bytes */ if (unilen & 1) return NULL; + if (unilen < 0) + return NULL; asclen = unilen / 2; /* If no terminating zero allow for one */ if (!unilen || uni[unilen - 1]) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 5ae952ad1f..0c6d5f72fe 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -236,6 +236,8 @@ int X509_ocspid_print(BIO *bp, X509 *x) goto err; subj = X509_get_subject_name(x); derlen = i2d_X509_NAME(subj, NULL); + if (derlen <= 0) + goto err; if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL) goto err; i2d_X509_NAME(subj, &dertmp); diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c index 7ec4727c4d..f8a7dfe840 100644 --- a/crypto/x509/v3_conf.c +++ b/crypto/x509/v3_conf.c @@ -154,6 +154,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, unsigned char *p; ext_len = method->i2d(ext_struc, NULL); + if (ext_len <= 0) + goto merr; if ((ext_der = OPENSSL_malloc(ext_len)) == NULL) goto merr; p = ext_der; diff --git a/crypto/x509/v3_ia5.c b/crypto/x509/v3_ia5.c index c1204eb8fa..6722b6c01f 100644 --- a/crypto/x509/v3_ia5.c +++ b/crypto/x509/v3_ia5.c @@ -29,7 +29,7 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5) { char *tmp; - if (ia5 == NULL || ia5->length == 0) + if (ia5 == NULL || ia5->length <= 0) return NULL; if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) { ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c index 2e6e7e9f9b..1d371c4761 100644 --- a/crypto/x509/x509spki.c +++ b/crypto/x509/x509spki.c @@ -58,7 +58,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) unsigned char *der_spki, *p; char *b64_str; int der_len; + der_len = i2d_NETSCAPE_SPKI(spki, NULL); + if (der_len <= 0) + return NULL; der_spki = OPENSSL_malloc(der_len); b64_str = OPENSSL_malloc(der_len * 2); if (der_spki == NULL || b64_str == NULL) {