The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.
This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem
What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.
Attached patch will check for zero-sized objects and won't call memcmp
on them.
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
index 5c861d1..bd1f02c 100644
--- a/crypto/objects/obj_dat.c
+++ b/crypto/objects/obj_dat.c
@@ -388,6 +388,8 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp)
j = (a->length - b->length);
if (j)
return (j);
+ if (a->length == 0)
+ return 0;
return (memcmp(a->data, b->data, a->length));
}
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
