Hello,
Please see related RT openssl.org #3387
Error: Null pointer dereference (CWE 476)
Read from null pointer rctx
at line 114 of
components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/ocsp/ocsp_ht.c
in function 'OCSP_REQ_CTX_free'.
Function OCSP_sendreq_new may return constant 'NULL' at line
171, called at line 491 in function 'OCSP_sendreq _bio'.
Constant 'NULL' passed into function OCSP_REQ_CTX_free,
argument rctx, from call at line 498.
Null pointer introduced at line 171 in function
'OCSP_sendreq_new'.
In crypto/ocsp/ocsp_ht.c: OCSP_sendreq_new:
It doesn't check the validity of rctx at line 160, so the return value
of OPENSSL_malloc should be checked.
It should also check rctx->mem at line 162.
Also, when there are failures, it returns 0, but does not free rctx
(line 170, 175, 178)
The following is the suggested fix:
--- ocsp_ht.c.orig Mon Jun 9 15:41:31 2014
+++ ocsp_ht.c Mon Jun 9 15:46:22 2014
@@ -158,8 +158,17 @@
OCSP_REQ_CTX *rctx;
rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
+ if (!rctx)
+ return 0;
rctx->state = OHS_ERROR;
rctx->mem = BIO_new(BIO_s_mem());
+ if (!rctx->mem)
+ {
+ OCSP_REQ_CTX_free(rctx);
+ return 0;
+ }
rctx->io = io;
rctx->asn1_len = 0;
if (maxline > 0)
@@ -168,15 +177,24 @@
rctx->iobuflen = OCSP_MAX_LINE_LEN;
rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
if (!rctx->iobuf)
+ {
+ OCSP_REQ_CTX_free(rctx);
return 0;
+ }
if (!path)
path = "/";
if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
+ {
+ OCSP_REQ_CTX_free(rctx);
return 0;
+ }
if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
+ {
+ OCSP_REQ_CTX_free(rctx);
return 0;
+ }
return rctx;
}
Thanks,
Jenny Yung
Oracle Solaris Security
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
