Re: [openssl.org #3312] OpenSSL :: crypto/mem.c without "memset()" calls?

Wed, 16 Apr 2014 10:46:27 -0700 

This patch is incorrect. You cannot hope to get the length of an
arbitrary heap block using strlen.

A lot of the time you might get 'lucky' and this memset will be short
and therefore just ineffective at zeroing the to-be-freed block.
Sometimes you'll be unlucky and you will completely trash your heap,
possibly in an exploitable way.

There is no portable way to get the length of a heap block after an
allocation is completed. Most allocator-wrapping layers which need it
extend the allocation by maxalign(sizeof(size_t)) and stash the length
before the allocation, then retrieve it later in free. But this is
really quite expensive - commonly 8 bytes per allocation - and it
ensures that calling code requesting carefully chosen power-of-two
blocks no longer fit into common allocator bucket sizes.

Cheers,
Joe

On 14 April 2014 20:53, Markus Grundmann via RT <r...@openssl.org> wrote:
> Hi!
>
> I have "checked" the current source code of 'crpyto/mem.c' and I'm a
> little bit suprised that no memset()-calls are made before the free_*()
> functions are entered. I think a "zeroing" of the previous used memory
> is a good solutions to beware for accessing old memory content.
>
> ---
>
> $ diff ../../openssl-1.0.1g/crypto/mem.c mem.c (after my modifications)
> 285a286,288
>>     if (!str) return;
>>     else memset(str,0,strlen(str));
>>
> 293a297,298
>>
>>     str = NULL;
> 324a330
>>         if (ret && num > 0) memset(ret,0,num);
> 328a335,342
>>
>>     /* Check parameters
>>      */
>>         if (!str || !file || line <= 0)
>>     {
>>                return NULL;
>>     }
>>
> 330a345
>>     if (!ret) return NULL;
> 391a407,409
>>     if (!str) return;
>>         else memset(str,0,strlen(str));
>>
> 396a415
>>     if (!str) return;
> 399a419
>>     str = NULL;
>
>
> --
> Best regards,
> Markus
>
> Better Privacy with PGP encrypted Mail: http://activezone.de/pgp/
> Fingerprint: 58C5 8BAF 6FCE B24F 1881 B5B8 F2A8 E1D0 484B 0054
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to