hi,
there are some places where functions allocating memory are not
checked against NULL, or are checked too late (LHASH code). We run some
tests with libumem(3lib) and "mtbf=5000" (mean time between failure) in
UMEM_DEBUG, simulating occasional memory shortages and that was causing
OpenSSL to crash.
the changes have been used here at Sun internally for 2 years
against 0.9.8a. Attached is a patch generated against 0.9.8l. "make
test" passes on the changed code after rebuilding it.
thanks, Jan.
--
Jan Pechanec
diff -ur openssl-0.9.8l/crypto/evp/digest.c
openssl-0.9.8l-patched//crypto/evp/digest.c
--- openssl-0.9.8l/crypto/evp/digest.c Tue Sep 16 00:21:40 2008
+++ openssl-0.9.8l-patched//crypto/evp/digest.c Tue Dec 8 12:06:21 2009
@@ -127,7 +127,8 @@
{
EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
- EVP_MD_CTX_init(ctx);
+ if (ctx)
+ EVP_MD_CTX_init(ctx);
return ctx;
}
@@ -299,7 +300,14 @@
OPENSSL_free(ctx->md_data);
ctx->digest=type;
if (type->ctx_size)
+ {
ctx->md_data=OPENSSL_malloc(type->ctx_size);
+ if (!ctx->md_data)
+ {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX,
ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
}
#ifndef OPENSSL_NO_ENGINE
skip_to_init:
@@ -380,8 +388,17 @@
if (out->digest->ctx_size)
{
- if (tmp_buf) out->md_data = tmp_buf;
- else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+ if (tmp_buf)
+ out->md_data = tmp_buf;
+ else
+ {
+ out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+ if (!out->md_data)
+ {
+
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ }
memcpy(out->md_data,in->md_data,out->digest->ctx_size);
}
diff -ur openssl-0.9.8l/crypto/lhash/lhash.c
openssl-0.9.8l-patched//crypto/lhash/lhash.c
--- openssl-0.9.8l/crypto/lhash/lhash.c Sun Jan 21 14:16:32 2007
+++ openssl-0.9.8l-patched//crypto/lhash/lhash.c Tue Dec 8 12:06:21 2009
@@ -305,16 +305,40 @@
static void expand(LHASH *lh)
{
LHASH_NODE **n,**n1,**n2,*np;
- unsigned int p,i,j;
+ unsigned int p,i,j,pmax;
unsigned long hash,nni;
+ p=(int)lh->p++;
+ nni=lh->num_alloc_nodes;
+ pmax=lh->pmax;
+
+ if ((lh->p) >= lh->pmax)
+ {
+ j=(int)lh->num_alloc_nodes*2;
+ n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
+ (int)sizeof(LHASH_NODE *)*j);
+ if (n == NULL)
+ {
+/* fputs("realloc error in lhash",stderr); */
+ lh->error++;
+ lh->p=0;
+ return;
+ }
+ /* else */
+ for (i=(int)lh->num_alloc_nodes; i<j; i++)/* 26/02/92 eay */
+ n[i]=NULL; /* 02/03/92 eay */
+ lh->pmax=lh->num_alloc_nodes;
+ lh->num_alloc_nodes=j;
+ lh->num_expand_reallocs++;
+ lh->p=0;
+ lh->b=n;
+ }
+
lh->num_nodes++;
lh->num_expands++;
- p=(int)lh->p++;
n1= &(lh->b[p]);
- n2= &(lh->b[p+(int)lh->pmax]);
+ n2= &(lh->b[p+pmax]);
*n2=NULL; /* 27/07/92 - eay - undefined pointer bug */
- nni=lh->num_alloc_nodes;
for (np= *n1; np != NULL; )
{
@@ -335,35 +359,14 @@
np= *n1;
}
- if ((lh->p) >= lh->pmax)
- {
- j=(int)lh->num_alloc_nodes*2;
- n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
- (int)(sizeof(LHASH_NODE *)*j));
- if (n == NULL)
- {
-/* fputs("realloc error in lhash",stderr); */
- lh->error++;
- lh->p=0;
- return;
- }
- /* else */
- for (i=(int)lh->num_alloc_nodes; i<j; i++)/* 26/02/92 eay */
- n[i]=NULL; /* 02/03/92 eay */
- lh->pmax=lh->num_alloc_nodes;
- lh->num_alloc_nodes=j;
- lh->num_expand_reallocs++;
- lh->p=0;
- lh->b=n;
- }
}
static void contract(LHASH *lh)
{
LHASH_NODE **n,*n1,*np;
+ int idx = lh->p+lh->pmax-1;
- np=lh->b[lh->p+lh->pmax-1];
- lh->b[lh->p+lh->pmax-1]=NULL; /* 24/07-92 - eay - weird but :-( */
+ np=lh->b[idx];
if (lh->p == 0)
{
n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
@@ -383,6 +386,7 @@
else
lh->p--;
+ lh->b[idx] = NULL;
lh->num_nodes--;
lh->num_contracts++;
diff -ur openssl-0.9.8l/crypto/rsa/rsa_eng.c
openssl-0.9.8l-patched//crypto/rsa/rsa_eng.c
--- openssl-0.9.8l/crypto/rsa/rsa_eng.c Tue Sep 16 16:55:26 2008
+++ openssl-0.9.8l-patched//crypto/rsa/rsa_eng.c Tue Dec 8 12:31:24 2009
@@ -208,7 +208,16 @@
ret->mt_blinding=NULL;
ret->bignum_data=NULL;
ret->flags=ret->meth->flags;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
+ {
+#ifndef OPENSSL_NO_ENGINE
+ if (ret->engine)
+ ENGINE_finish(ret->engine);
+#endif
+ OPENSSL_free(ret);
+ return(NULL);
+ }
+
if ((ret->meth->init != NULL) && !ret->meth->init(ret))
{
#ifndef OPENSSL_NO_ENGINE
diff -ur openssl-0.9.8l/crypto/x509/x509_lu.c
openssl-0.9.8l-patched//crypto/x509/x509_lu.c
--- openssl-0.9.8l/crypto/x509/x509_lu.c Wed May 11 05:45:35 2005
+++ openssl-0.9.8l-patched//crypto/x509/x509_lu.c Tue Dec 8 12:06:21 2009
@@ -198,7 +198,13 @@
ret->cert_crl = 0;
ret->cleanup = 0;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
+ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
+ {
+ sk_X509_OBJECT_free(ret->objs);
+ OPENSSL_free(ret);
+ return NULL;
+ }
+
ret->references=1;
return ret;
}
