Thank you, Tim.
2. Error: Null pointer dereference (CWE 476) Read from null pointer rctx at line 114 of components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/ocsp/ocsp_ht.c in function 'OCSP_REQ_CTX_free'. Function OCSP_sendreq_new may return constant 'NULL' at line 171, called at line 491 in function 'OCSP_sendreq _bio'. Constant 'NULL' passed into function OCSP_REQ_CTX_free, argument rctx, from call at line 498. Null pointer introduced at line 171 in function 'OCSP_sendreq_new'.This indicates a different issue is present - in that the error handling path will leak memory.rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); if (!rctx->iobuf) return 0; So if malloc fails rctx itself isn't freed - so that will leak. That will need to be looked at too.
Good point! We'll file a RT to check for the NULL pointer and free the malloced resources on the error exit (multiple places in the function)
12 13 --- openssl-1.0.1g/crypto/ocsp/ocsp_ht.c.~1~ Tue Jun 3 14:15:18 2014 14 +++ openssl-1.0.1g/crypto/ocsp/ocsp_ht.c Tue Jun 3 14:15:46 2014 15 @@ -490,6 +490,9 @@ 16 17 ctx = OCSP_sendreq_new(b, path, req, -1); 18 19 + if (!ctx) 20 + return NULL; 21 + 22 do 23 { 24 rv = OCSP_sendreq_nbio(&resp, ctx);Looks reasonable - although I don't think the spin loop there is appropriate - basically with no delay, and no select, this will spin on a non-blocking retry condition (which is meant to make it back to the caller to enter their event loop. That is a broader issue to look at.
Assuming you are referring to the do-while loop when you said 'spin loop', that should be looked at separately. Jenny's suggestion to check the return value of OCSP_sendreq_new() should be a valid check.
Regards, -- misaki ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
