[openssl-dev] [openssl.org #4160] Candidate bug, malloc failure related issues in s3_enc.c, hm_pmeth.c

Trevor Larock via RT Sun, 29 Nov 2015 03:11:07 -0800

Hi folks,

Can I ask about malloc failure handling issues, seems affecting OpenSSL 1.0.1p 
and 1.0.2d,


1. In s3_enc.c::ssl3_digest_cached_records, we have the below code.

    s->s3->handshake_dgst =
        OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
    memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));

We are not checking for the return value of the malloc resulting in a straight 
null dereference in the memset.

2. In hm_pmeth.c::pkey_hmac_cleanup

    HMAC_PKEY_CTX *hctx = ctx->data;
    HMAC_CTX_cleanup(&hctx->ctx);

Using hctx when it can be NULL. We could have failed to allocate ctx->data in 
int_ctx_new which calls pmeth->init (alloc can return error here).

Thanks
Trev

_______________________________________________
openssl-bugs-mod mailing list
[email protected]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4160] Candidate bug, malloc failure related issues in s3_enc.c, hm_pmeth.c

Reply via email to