Hello All,
I am not sure that the patches below correct any potential
security issue, but use of values returned from calloc()/malloc()
and alloca() without checking for NULL may result in undesirable
behavior in OpenSSL 1.0.1c. The patches below result in a
clean './config' and 'make' under
Hello All,
In reviewing code in directory 'apps', file 'prime.c', there is a
call to BN_new() which is not checked for a return value of NULL,
indicating failure. The patch file below should address/correct this
issue:
--- prime.c.orig2016-03-08 16:13:24.841500061 -0800
+++ prime.c
Hello All,
In reviewing code in directory 'crypto/conf', file 'conf_mod.c',
there is a call to OPENSSL_strdup() which is not checked for a
return value of NULL, indicating failure.
The patch file below adds the test, and releases the previously allocated
memory assigned to 'tmod':
---
Geez,
What did I start here (egad) :)
Bill
On Wed, Mar 9, 2016 at 5:03 AM, Salz, Rich via RT wrote:
> > No, you got that right, NULL being 'safe' to free varies with OS.
>
> Except we mandate ANSI C which means it's portable :)
>
> --
> Ticket here:
Hello All,
In reviewing code in directory 'crypto/modes', file 'ocb128.c', there is a
call to OPENSSL_realloc() which has the potential to clobber the old value
of
variable 'ctx->l', if the call returns NULL.
The patch file below uses a void *tmp_ptr to prevent this from occuring:
---
I must be brain dead today, since free'ing something that is already NULL
is not a problem (geez)...
Heh
On Tue, Mar 8, 2016 at 12:01 PM, Salz, Rich via RT wrote:
>
> > + if (dest->mont_data != NULL)
> > + BN_MONT_CTX_free(dest->mont_data);
>
>
Hello All,
In reviewing source code in directory 'crypto/ocsp', file 'ocsp_ht.c',
there is a minor flaw in the test logic which could allow a small memory
leak to develop. The patch file below should address/correct this issue:
--- ocsp_ht.c.orig 2016-03-08 10:24:51.821632969 -0800
+++
Hello All,
In reviewing code in directory 'crypto/ec', file 'ec_lib.c'', there
appears to be allocated memory which is not released when a return 0;
is encountered in some cases of OPENSSL_malloc(). The patch file below
should address/correct these minor leaks:
--- ec_lib.c.orig
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/threads', file
'th-lock.c', in function 'CRYPTO_thread_setup', there is a call to
OPENSSL_malloc()
which is not checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
Hello All,
In reviewing source code in directory 'openssl-1.0.2g/apps', in file
'ca.c', there are a few instances where OPENSSL_malloc() is called, but
immediately afterwards a call to memcpy() is made with the return value
from the call, but the check for NULL is made AFTER the memcpy().
Hello All,
In reviewing code in directory 'crypto/evp', file 'pmeth_gn.c', in
function 'EVP_PKEY_keygen()', there is a call to EVP_PKEY_new() which
is not checked for a return value of NULL, indicating failure.
This test is done in function 'EVP_PKEY_paramgen()', but looks like it
was left out
Hello All,
In reviewing source code for OpenSSL-1.0.2g, it would appear in file
'apps/speed.c', in function 'static int do_multi()', a call to malloc()
is made without being tested for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
---
Hello All,
In reviewing source code in directory 'openssl-1.0.2g/crypto/evp',
in file 'openbsd_hw.c', there are a few instances where OPENSSL_malloc()
is called, but immediately afterwards a call to memcpy() is made with
the return value from the call to OPENSSL_malloc(), but no check for
a
Hello All,
In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file
'ssl_ciph.c', in function ''SSL_COMP_add_compression_method()'',
there is a call to OPENSSL_malloc() which is not checked for a
return value of NULL, indicating failure.
The patch file below should address/correct this
In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in
function 'do_create()', there is a call to 'OBJ_nid2obj()' which is
not checked for a return value of NULL.
The patch file below adds the check and returns 0 if NULL is returned:
--- asn_moid.c.orig 2016-03-06
Hello All,
In reviewing code in directory 'engines', file 'e_aep.c', there is a
call to function 'bn_expand()', but it is not checked for a return
value of NULL. However, a member of the variable 'bn' (bn->d) are used in
memset()/memcpy() calls, but if 'bn' is NULL, a segmentation
Hello All,
In reviewing source code in directory 'crypto/conf', file 'conf_mod.c',
there is a call to BUF_strdup() in function 'module_add()' which is not
checked for a return value of NULL, indicating failure.
The patch file below adds the check and calls OPENSSL_free(tmod) to
release the
Hello All,
In reviewing source code in directory 'engines', file 'e_4758cca.c',
there are two calls to function 'RSA_new_method()' which are not
checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- e_4758cca.c.orig2016-03-06
Hello All,
In reviewing code in directory 'engines/ccgost', file 'gost2001.c',
there are two calls to BN_new() which are not checked for a return
value of NULL, indicating failure.
The patch file below should address/correct this issue:
--- gost2001.c.orig 2016-03-06 11:32:49.676178425
Hello All,
In reviewing source code in directory 'crypto/engines', file 'e_chil.c'
there are some comments warning to check for error when bn_expand2() or
BN_new() or RSA_new_method() is called. The patch file below adds the
requested checks to the code:
--- e_chil.c.orig 2016-03-06
3031 7217
> Oracle Australia
>
> On Mon, 7 Mar 2016 05:55:23 PM Bill Parker via RT wrote:
> > Hello All,
> >
> > In reviewing code in directory 'engines/ccgost', file 'gost2001.c',
> > there are two calls to BN_new() which are not checked for a return
> >
Hello All,
In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c',
there is a call to OPENSSL_realloc() which is NOT checked for a return
value of NULL, indicating failure. However, the statement after this
is memcpy(), which if the destination variable is NULL, will result
in a
22 matches
Mail list logo