Hello All, In reviewing source code in directory 'crypto/conf', file 'conf_mod.c', there is a call to BUF_strdup() in function 'module_add()' which is not checked for a return value of NULL, indicating failure.
The patch file below adds the check and calls OPENSSL_free(tmod) to release the previous allocation by OPENSSL_malloc(): --- conf_mod.c.orig 2016-03-06 05:46:50.424008381 -0800 +++ conf_mod.c 2016-03-06 05:47:49.031457086 -0800 @@ -288,6 +288,10 @@ tmod->dso = dso; tmod->name = BUF_strdup(name); + if (!tmod->name) { + OPENSSL_free(tmod); + return NULL; + } tmod->init = ifunc; tmod->finish = ffunc; tmod->links = 0; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4382 Please log in as guest with password guest if prompted
conf_mod.c.patch
Description: Binary data
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev