On Tue, Aug 11, 2009, Alexei Khlebnikov wrote: > Hi, > > I've found a memory leak and a potential buffer overflow in > d2i_SSL_SESSION() function. The fix is attached. Some explanations are > below. > > 1) First part. Memory leak. When doing simply "return(NULL)", SSL_SESSION > object at "a" pointer is not deallocated. I changed it so that it will be > deallocated by M_ASN1_D2I_Finish macro at the end of the function. > > 2) Second part. Potential buffer overflow. Here, too big os.length value is > written into ret->sid_ctx_length. SSL error is registered, but no > indication about its existance is given to the caller, i.e. NULL is not > returned from the function. The caller will expect the created SSL_SESSION > object to be valid. If the caller is not careful enough and will not check > "sid_ctx_length <= SSL_MAX_SID_CTX_LENGTH" - he can get a buffer overflow > when working with sid_ctx of incorrect length sid_ctx_length. The fix does > the following: > 2.1) Not setting ret->sid_ctx_length to (too big) os.length > 2.2) Reporting error via M_ASN1_D2I_* macros instead of SSLerr to > prevent duplicate reporting. > 2.3) Error exit from the function, with "SSL_SESSION *a" deallocation. > > Hoping the patch will be useful. >
Please send any patches or bug reports to the request tracker in future. That way they don't get overlooked. While these are minor issues they are unlikely to happen unless something is very badly wrong. The SSL_SESSION structure and its encoding cannot be fed into OpenSSL from an untrusted source (well not unless an application designer has decided to do this very stupid thing) they will only have been previously created by OpenSSL itself using sane values. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
