[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

[Rich Salz via RT]

this is a "can't happen" kind of thing. If you pass in a NID_xxx value, you
MUST get back the object. They are two tables built in-sync.

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

[Bill Parker via RT]

In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in
function 'do_create()', there is a call to 'OBJ_nid2obj()' which is
not checked for a return value of NULL.

The patch file below adds the check and returns 0 if NULL is returned:

--- asn_moid.c.orig 2016-03-06 17:09:03.019903938 -0800
+++ asn_moid.c  2016-03-06 17:09:41.778829998 -0800
@@ -146,6 +146,8 @@
 memcpy(lntmp, ln, p - ln);
 lntmp[p - ln] = 0;
 oid = OBJ_nid2obj(nid);
+   if (oid == NULL)
+   return 0;
 oid->ln = lntmp;
 }


===

In reviewing code in directory 'crypto/asn1', file 'p5_pbev2.c', in
function 'PKCS5_pbe2_set_iv()' and 'PKCS5_pbkdf2_set(), there are calls
to 'OBJ_nid2obj()' which is not checked for a return value of NULL.

The patch file below adds the check and goes to merr: if NULL is returned:

--- p5_pbev2.c.orig 2016-03-06 17:21:56.612223544 -0800
+++ p5_pbev2.c  2016-03-06 17:23:25.049463462 -0800
@@ -105,6 +105,8 @@
 goto err;
 }
 obj = OBJ_nid2obj(alg_nid);
+if (obj == NULL)
+   goto merr;

 if (!(pbe2 = PBE2PARAM_new()))
 goto merr;
@@ -169,6 +171,8 @@
 goto merr;

 ret->algorithm = OBJ_nid2obj(NID_pbes2);
+if (ret->algorithm == NULL)
+   goto merr;

 /* Encode PBE2PARAM into parameter */

@@ -258,6 +262,8 @@
 goto merr;

 keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
+if (!keyfunc->algorithm)
+   goto merr;

 /* Encode PBKDF2PARAM into parameter of pbe2 */


===

In reviewing code in directory 'crypto/asn1', file 'x_attrib.c', in
function 'X509_ATTRIBUTE_create()' there is a call to 'OBJ_nid2obj()'
which is not checked for a return value of NULL.

The patch file below adds the check and goes to err: if NULL is returned:

--- x_attrib.c.orig 2016-03-06 17:35:12.565385098 -0800
+++ x_attrib.c  2016-03-06 17:37:35.383536550 -0800
@@ -105,6 +105,8 @@
 if ((ret = X509_ATTRIBUTE_new()) == NULL)
 return (NULL);
 ret->object = OBJ_nid2obj(nid);
+if (ret->object == NULL)
+   goto err;
 ret->single = 0;
 if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
 goto err;

===

In reviewing code in directory 'crypto/asn1', file 'tasn_new.c', in
function 'ASN1_primitive_new()' there is a call to 'OBJ_nid2obj()'
which is not checked for a return value of NULL.

The patch file below adds the check and returns 0 if NULL is returned:

--- tasn_new.c.orig 2016-03-06 17:39:25.320508974 -0800
+++ tasn_new.c  2016-03-06 17:40:31.614934655 -0800
@@ -328,6 +328,8 @@
 switch (utype) {
 case V_ASN1_OBJECT:
 *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef);
+   if (!pval)
+   return 0;
 return 1;

 case V_ASN1_BOOLEAN:

===

Bill Parker (wp02855 at gmail dot com)

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381
Please log in as guest with password guest if prompted



asn_moid.c.patch
Description: Binary data


p5_pbev2.c.patch
Description: Binary data


x_attrib.c.patch
Description: Binary data


tasn_new.c.patch
Description: Binary data
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev