This bug report applies to the OpenSSL FIPS 2.0 module.
If dctx->get_entropy() fails and thus the tout is set to NULL we will
set the output entropy pointer to NULL + blocklen. This will later lead
to crash as we check for NULL entropy before calling
fips_cleanup_entropy() but it will be invalid non-NULL pointer in this
case.
The attached patch prevents returning invalid non-NULL pointer from the
fips_get_entropy() function.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
diff -up openssl-fips-2.0-test-20120202/fips/rand/fips_drbg_lib.c.entropy openssl-fips-2.0-test-20120202/fips/rand/fips_drbg_lib.c
--- openssl-fips-2.0-test-20120202/fips/rand/fips_drbg_lib.c.entropy 2011-12-13 01:22:17.000000000 +0100
+++ openssl-fips-2.0-test-20120202/fips/rand/fips_drbg_lib.c 2012-04-05 17:42:50.814929366 +0200
@@ -160,6 +160,8 @@ static size_t fips_get_entropy(DRBG_CTX
return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
rv = dctx->get_entropy(dctx, &tout, entropy + bl,
min_len + bl, max_len + bl);
+ if (tout == NULL)
+ return 0;
*pout = tout + bl;
if (rv < (min_len + bl) || (rv % bl))
return 0;
