Hello, The following 13 potential null-pointer dereference bugs were found by running Facebook's Infer static analyzer on openssl-1.0.2a. You can reproduce these reports by downloading Infer and running it like so:
https://fbinfer.org/docs/getting-started.html cd openssl-1.0.2a ./config && make clean infer -- make inferTraceBugs The last command allows you to see more information about each report, in particular symbolic traces that lead to the bug. - apps/srp.c at line 149: NULL_DEREFERENCE pointer pp last assigned on line 148 could be null and is dereferenced at line 149, column 43 apps/srp.c at line 166: NULL_DEREFERENCE pointer pp last assigned on line 164 could be null and is dereferenced at line 166, column 13 The functions print_entry and print_user don't check that db->data->data is not NULL, hence sk_OPENSSL_PSTRING_value could return NULL. Additional note: the test is slightly different in both cases: "verbose > 0" for print_user vs "indx >= 0 && verbose" for print_entry. - apps/x509.c at line 1108: NULL_DEREFERENCE pointer upkey last assigned on line 1107 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1108, column 5 Calling x509_certify() with xca == NULL or xca->cert_info == NULL makes X509_get_pubkey() return NULL, which triggers a NULL dereference in EVP_PKEY_copy_parameters(). Additional note: the return value of X509_get_pubkey() is checked for NULL elsewhere in the codebase, eg, in apps/ca.c:1597. - apps/x509.c at line 1220: NULL_DEREFERENCE pointer pktmp last assigned on line 1219 could be null and is dereferenced by call to EVP_PKEY_copy_parameters() at line 1220, column 5 Similar to the previous one. - crypto/mem_dbg.c at line 647: NULL_DEREFERENCE pointer lcl last assigned on line 644 could be null and is dereferenced at line 647, column 22 localtime(3) can return NULL in case of error. - crypto/objects/o_names.c at line 105: NULL_DEREFERENCE pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 105, column 9 crypto/objects/o_names.c at line 107: NULL_DEREFERENCE pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 107, column 9 crypto/objects/o_names.c at line 109: NULL_DEREFERENCE pointer name_funcs last assigned on line 103 could be null and is dereferenced at line 109, column 9 If the names_type_num < 0 or if name_type_num >= name_funcs_stack->num, then name_funcs is assigned to NULL on line 103. These ones may be false positives, as it looks like that this can never be the case in that file. - crypto/pkcs7/pk7_doit.c at line 1149: NULL_DEREFERENCE pointer ri last assigned on line 1148 could be null and is dereferenced at line 1149, column 12 If PKCS7_get_issuer_and_serial() is called with idx < 0 then the execution gets to the last call to sk_PKCS7_RECIP_INFO_value(), which returns NULL. - crypto/x509/x509_cmp.c at line 410: NULL_DEREFERENCE pointer x last assigned on line 405 could be null and is dereferenced at line 410, column 55 If X509_chain_check_suiteb() is called with chain == NULL, then the call to sk_X509_value() on line 410 will assign NULL to x. Line 410 is X509_get_version(x), which dereferences x without checking for NULL. - crypto/x509/x509_req.c at line 125: NULL_DEREFERENCE pointer xk last assigned on line 124 could be null and is dereferenced by call to EVP_PKEY_cmp() at line 125, column 13 If X509_REQ_check_private_key() is called with x == NULL, then xk will get NULL on line 124. - crypto/x509/x509_req.c at line 204: NULL_DEREFERENCE pointer attr last assigned on line 203 could be null and is dereferenced at line 204, column 13 In X509_REQ_get_extensions(), the call to X509_REQ_get_attr_by_NID() may return -2 as an error code, but the caller checks for -1 instead. This results in an NPE a few lines down, as the -2 is passed to X509_REQ_get_attr(), which sees that idx is invalid and returns NULL. Then attr == NULL is dereferenced by attr->single in the condition of the if statement on the next line. - crypto/x509/x509_lu.c at line 311: NULL_DEREFERENCE pointer lu last assigned on line 310 could be null and is dereferenced by call to X509_LOOKUP_by_subject() at line 311, column 17 If vs->ctx->get_cert_methods is NULL then sk_X509_LOOKUP_num() returns -1 in the condition of the for loop. Then, if vs->current_method < -1 we still enter the body of the loop. Then lu gets assigned to NULL by sk_X509_LOOKUP_value. Best regards, Jules Villard Facebook Static Analysis Tools Team _______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
