Thank you, Tim.
>> 2. Error: Null pointer dereference (CWE 476)
>> Read from null pointer rctx
>> at line 114 of
>> components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/ocsp/ocsp_ht.c
>> in function 'OCSP_REQ_CTX_free'.
>> Function OCSP_sendreq_new may return constant 'NULL' at line
>> 171, called at line 491 in function 'OCSP_sendreq _bio'.
>> Constant 'NULL' passed into function OCSP_REQ_CTX_free,
>> argument rctx, from call at line 498.
>> Null pointer introduced at line 171 in function
>> 'OCSP_sendreq_new'.
> This indicates a different issue is present - in that the error handling
> path will leak memory.
>
> rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
> if (!rctx->iobuf)
> return 0;
>
> So if malloc fails rctx itself isn't freed - so that will leak. That
> will need to be looked at too.
Good point! We'll file a RT to check for the NULL pointer and free the
malloced resources on the error exit (multiple places in the function)
>> 12
>> 13 --- openssl-1.0.1g/crypto/ocsp/ocsp_ht.c.~1~ Tue Jun 3
>> 14:15:18 2014
>> 14 +++ openssl-1.0.1g/crypto/ocsp/ocsp_ht.c Tue Jun 3
>> 14:15:46 2014
>> 15 @@ -490,6 +490,9 @@
>> 16
>> 17 ctx = OCSP_sendreq_new(b, path, req, -1);
>> 18
>> 19 + if (!ctx)
>> 20 + return NULL;
>> 21 +
>> 22 do
>> 23 {
>> 24 rv = OCSP_sendreq_nbio(&resp, ctx);
> Looks reasonable - although I don't think the spin loop there is
> appropriate - basically with no delay, and no select, this will spin on
> a non-blocking retry condition (which is meant to make it back to the
> caller to enter their event loop. That is a broader issue to look at.
Assuming you are referring to the do-while loop when you said 'spin
loop', that should be looked at separately.
Jenny's suggestion to check the return value of OCSP_sendreq_new()
should be a valid check.
Regards,
-- misaki
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
