Hi,I've found a memory leak and a potential buffer overflow in d2i_SSL_SESSION() function. The fix is attached. Some explanations are below.
1) First part. Memory leak. When doing simply "return(NULL)", SSL_SESSION object at "a" pointer is not deallocated. I changed it so that it will be deallocated by M_ASN1_D2I_Finish macro at the end of the function.
2) Second part. Potential buffer overflow. Here, too big os.length value is written into ret->sid_ctx_length. SSL error is registered, but no indication about its existance is given to the caller, i.e. NULL is not returned from the function. The caller will expect the created SSL_SESSION object to be valid. If the caller is not careful enough and will not check "sid_ctx_length <= SSL_MAX_SID_CTX_LENGTH" - he can get a buffer overflow when working with sid_ctx of incorrect length sid_ctx_length. The fix does the following:
2.1) Not setting ret->sid_ctx_length to (too big) os.length
2.2) Reporting error via M_ASN1_D2I_* macros instead of SSLerr to
prevent duplicate reporting.
2.3) Error exit from the function, with "SSL_SESSION *a" deallocation.
Hoping the patch will be useful.
--
Best regards,
Alexei Khlebnikov,
Opera Software ASA, Norway.
memleak-and-potential-buf-overflow.2009-08-11.patch
Description: Binary data
