On Sat, 2012-04-07 at 21:44 +0200, Stephen Henson via RT wrote:
> > [[email protected] - Sat Apr 07 15:39:00 2012]:
> >
> > This bug report applies to the OpenSSL FIPS 2.0 module.
> >
> > If dctx->get_entropy() fails and thus the tout is set to NULL we will
> > set the output entropy pointer to NULL + blocklen. This will later lead
> > to crash as we check for NULL entropy before calling
> > fips_cleanup_entropy() but it will be invalid non-NULL pointer in this
> > case.
> >
> > The attached patch prevents returning invalid non-NULL pointer from the
> > fips_get_entropy() function.
> >
> >
>
> While that is valid changing the FIPS code at this late stage of the
> validation is problematical.
>
> Since the output entropy pointer is restored to its original value in
> fips_cleanup_entropy can't we just make sure that function treats a NULL
> parameter as a no-op instead?
Yes, that's surely possible as well.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
