Hello All,
In reviewing source code in directory 'openssl-1.0.2g/crypto/evp',
in file 'openbsd_hw.c', there are a few instances where OPENSSL_malloc()
is called, but immediately afterwards a call to memcpy() is made with
the return value from the call to OPENSSL_malloc(), but no check for
a return value of NULL is made after OPENSSL_malloc() returns.
However, if the 1st argument to memcpy() is NULL, a segmentation fault/
violation will occur. The patch file below should address/correct this
issue:
--- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800
+++ openbsd_hw.c2016-03-02 15:40:29.525908189 -0800
@@ -133,6 +133,10 @@
return 0;
CDATA(ctx)->key = OPENSSL_malloc(MAX_HW_KEY);
+if (CDATA(ctx)->key == NULL {
+ err("CDATA(ctx)->key memory allocation failed");
+ return 0;
+}
assert(ctx->cipher->iv_len <= MAX_HW_IV);
@@ -186,6 +190,11 @@
if (((unsigned long)in & 3) || cinl != inl) {
cin = OPENSSL_malloc(cinl);
+ if (cin == NULL) {
+ err("cin - memory allocation failed");
+ abort();
+ return 0;
+ }
memcpy(cin, in, inl);
cryp.src = cin;
}
@@ -334,6 +343,11 @@
char *dcopy;
dcopy = OPENSSL_malloc(len);
+ if (dcopy == NULL) {
+ err("dcopy - memory allocation failed");
+ abort();
+ return 0;
+ }
memcpy(dcopy, data, len);
cryp.src = dcopy;
cryp.dst = cryp.src; // FIXME!!!
@@ -397,6 +411,10 @@
assert(from->digest->flags & EVP_MD_FLAG_ONESHOT);
to_md->data = OPENSSL_malloc(from_md->len);
+if (to_md->data == NULL) {
+ err("DEV_CRYPTO_MD5_COPY: unable to allocate memory");
+ return 0;
+}
memcpy(to_md->data, from_md->data, from_md->len);
return 1;
===
Hello All,
In reviewing source code in directory 'engines/ccgost', in file
'gost_ameth.c', there are a few instances where OPENSSL_malloc()
is called, but no check for a return value of NULL is made. However,
immediately afterwards statments which access the allocated memory
are used (array access/memset(), etc) which will result in a segmentation
fault/violation occuring if NULL is returned from the OPENSSL_malloc()
call.
The patch file below should address/correct this issue:
--- gost_ameth.c.orig 2016-03-02 16:43:36.014151374 -0800
+++ gost_ameth.c2016-03-02 16:45:59.978448496 -0800
@@ -617,6 +617,10 @@
return 0;
}
databuf = OPENSSL_malloc(octet->length);
+if (!databuf) {
+ GOSTerr(GOST_F_PUB_DECODE_GOST94, ERR_R_MALLOC_FAILURE);
+ return 0;
+}
for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) {
databuf[j] = octet->data[i];
}
@@ -646,6 +650,8 @@
}
data_len = BN_num_bytes(dsa->pub_key);
databuf = OPENSSL_malloc(data_len);
+if (!databuf)
+ return 0;
BN_bn2bin(dsa->pub_key, databuf);
octet = ASN1_OCTET_STRING_new();
ASN1_STRING_set(octet, NULL, data_len);
@@ -686,6 +692,10 @@
return 0;
}
databuf = OPENSSL_malloc(octet->length);
+if (!databuf) {
+ GOSTerr(GOST_F_PUB_DECODE_GOST01, ERR_R_MALLOC_FAILURE);
+ return 0;
+}
for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) {
databuf[j] = octet->data[i];
}
@@ -760,6 +770,10 @@
data_len = 2 * BN_num_bytes(order);
BN_free(order);
databuf = OPENSSL_malloc(data_len);
+if (!databuf) {
+ GOSTerr(GOST_F_PUB_DECODE_GOST01, ERR_R_MALLOC_FAILURE);
+ return 0;
+}
memset(databuf, 0, data_len);
store_bignum(X, databuf + data_len / 2, data_len / 2);
===
Hello All,
In reviewing source code in directory 'engines/ccgost', in file
'gost_pmeth.c', there are a few instances where OPENSSL_malloc()
is called, but no check for a return value of NULL is made. However,
immediately afterwards statments which access the allocated memory
are used (memcpy()/memset(), etc) which will result in a segmentation
fault/violation occuring if NULL is returned from the OPENSSL_malloc()
call.
The patch file below should address/correct this issue:
--- gost_pmeth.c.orig 2016-03-02 17:24:49.503519153 -0800
+++ gost_pmeth.c2016-03-02 17:27:27.179558967 -0800
@@ -107,6 +107,8 @@
return 1;
case EVP_PKEY_CTRL_SET_IV:
pctx->shared_ukm = OPENSSL_malloc((int)p1);
+ if (!pctx->shared_ukm)
+ return 0;
memcpy(pctx->shared_ukm, p2, (int)p1);
return 1;
case EVP_PKEY_CTRL_PEER_KEY:
@@ -533,6 +535,8 @@
return 0;
}
keydata = OPENSSL_malloc(32);
+if (!keydata)
+ return 0;
memcpy(keydata, data->key, 32);
EVP_PKEY_assi