On Sun, Nov 29, 2015 at 11:09:35AM +0000, Trevor Larock via RT wrote: > Hi folks, > > Can I ask about malloc failure handling issues, seems affecting OpenSSL > 1.0.1p and 1.0.2d, > > 1. In s3_enc.c::ssl3_digest_cached_records, we have the below code. > > s->s3->handshake_dgst = > OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); > memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); > > We are not checking for the return value of the malloc resulting in a > straight null dereference in the memset.
That seems to be fixed in the master branch. > 2. In hm_pmeth.c::pkey_hmac_cleanup > > HMAC_PKEY_CTX *hctx = ctx->data; > HMAC_CTX_cleanup(&hctx->ctx); > > Using hctx when it can be NULL. We could have failed to allocate ctx->data in > int_ctx_new which calls pmeth->init (alloc can return error here). So when pmeth->init() fails it calls EVP_PKEY_CTX_free(), which calls ctx->pmeth->cleanup(). I'm guessing there are other cleanup / free functions that don't really expect to get called when init / new failed. At least ossl_hmac_cleanup() looks to have the same problem, while things like pkey_ec_cleanup(), pkey_dh_cleanup() and pkey_rsa_cleanup() look good. Kurt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
