[openssl.org #3083] [PATCH] Adds sanity checking to malloc()/calloc()/alloca() calls in OpenSSL 1.0.1c

Hello All, I am not sure that the patches below correct any potential security issue, but use of values returned from calloc()/malloc() and alloca() without checking for NULL may result in undesirable behavior in OpenSSL 1.0.1c. The patches below result in a clean './config' and 'make' under

[openssl-dev] [openssl.org #4402] [PATCH] Missing Sanity Check for BN_new in 'apps/prime.c' for OpenSSL-1.1 pre4

Hello All, In reviewing code in directory 'apps', file 'prime.c', there is a call to BN_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- prime.c.orig2016-03-08 16:13:24.841500061 -0800 +++ prime.c

[openssl-dev] [openssl.org #4404] [PATCH] Missing Sanity Check for OPENSSL_strdup() in OpenSSL-1.1 pre-4

Hello All, In reviewing code in directory 'crypto/conf', file 'conf_mod.c', there is a call to OPENSSL_strdup() which is not checked for a return value of NULL, indicating failure. The patch file below adds the test, and releases the previously allocated memory assigned to 'tmod': ---

Re: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c'

Geez, What did I start here (egad) :) Bill On Wed, Mar 9, 2016 at 5:03 AM, Salz, Rich via RT wrote: > > No, you got that right, NULL being 'safe' to free varies with OS. > > Except we mandate ANSI C which means it's portable :) > > -- > Ticket here:

[openssl-dev] [openssl.org #4403] [PATCH] prevent OPENSSL_realloc() from clobbering old pointer value on failure in OpenSSL-1.1 pre-4

Hello All, In reviewing code in directory 'crypto/modes', file 'ocb128.c', there is a call to OPENSSL_realloc() which has the potential to clobber the old value of variable 'ctx->l', if the call returns NULL. The patch file below uses a void *tmp_ptr to prevent this from occuring: ---

Re: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c'

I must be brain dead today, since free'ing something that is already NULL is not a problem (geez)... Heh On Tue, Mar 8, 2016 at 12:01 PM, Salz, Rich via RT wrote: > > > + if (dest->mont_data != NULL) > > + BN_MONT_CTX_free(dest->mont_data); > >

[openssl-dev] [openssl.org #4400] [PATCH] plug potential memory leak in OpenSSL 1.1 pre 4

Hello All, In reviewing source code in directory 'crypto/ocsp', file 'ocsp_ht.c', there is a minor flaw in the test logic which could allow a small memory leak to develop. The patch file below should address/correct this issue: --- ocsp_ht.c.orig 2016-03-08 10:24:51.821632969 -0800 +++

[openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c'

Hello All, In reviewing code in directory 'crypto/ec', file 'ec_lib.c'', there appears to be allocated memory which is not released when a return 0; is encountered in some cases of OPENSSL_malloc(). The patch file below should address/correct these minor leaks: --- ec_lib.c.orig

[openssl-dev] [openssl.org #4372] [PATCH] Missing sanity check for OPENSSL_malloc() in openssl-1.0.2g in th-lock.c

Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/threads', file 'th-lock.c', in function 'CRYPTO_thread_setup', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue:

[openssl-dev] [openssl.org #4370] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)

Hello All, In reviewing source code in directory 'openssl-1.0.2g/apps', in file 'ca.c', there are a few instances where OPENSSL_malloc() is called, but immediately afterwards a call to memcpy() is made with the return value from the call, but the check for NULL is made AFTER the memcpy().

[openssl-dev] [openssl.org #4380] [PATCH] Missing Sanity Checks for EVP_PKEY_new() in OpenSSL-1.0.2g

Hello All, In reviewing code in directory 'crypto/evp', file 'pmeth_gn.c', in function 'EVP_PKEY_keygen()', there is a call to EVP_PKEY_new() which is not checked for a return value of NULL, indicating failure. This test is done in function 'EVP_PKEY_paramgen()', but looks like it was left out

[openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c'

Hello All, In reviewing source code for OpenSSL-1.0.2g, it would appear in file 'apps/speed.c', in function 'static int do_multi()', a call to malloc() is made without being tested for a return value of NULL, indicating failure. The patch file below should address/correct this issue: ---

[openssl-dev] [openssl.org #4374] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)

Hello All, In reviewing source code in directory 'openssl-1.0.2g/crypto/evp', in file 'openbsd_hw.c', there are a few instances where OPENSSL_malloc() is called, but immediately afterwards a call to memcpy() is made with the return value from the call to OPENSSL_malloc(), but no check for a

[openssl-dev] [openssl.org #4375] [PATCH] Missing Sanity Checks for OPENSSL_malloc() in OpenSSL-1.0.2g

Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file 'ssl_ciph.c', in function ''SSL_COMP_add_compression_method()'', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this

[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in function 'do_create()', there is a call to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and returns 0 if NULL is returned: --- asn_moid.c.orig 2016-03-06

[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)

Hello All, In reviewing code in directory 'engines', file 'e_aep.c', there is a call to function 'bn_expand()', but it is not checked for a return value of NULL. However, a member of the variable 'bn' (bn->d) are used in memset()/memcpy() calls, but if 'bn' is NULL, a segmentation

[openssl-dev] [openssl.org #4382] [PATCH] Missing Sanity Check(s) for BUF_strdup() in OpenSSL-1.0.2g

Hello All, In reviewing source code in directory 'crypto/conf', file 'conf_mod.c', there is a call to BUF_strdup() in function 'module_add()' which is not checked for a return value of NULL, indicating failure. The patch file below adds the check and calls OPENSSL_free(tmod) to release the

[openssl-dev] [openssl.org #4385] [PATCH] Missing Sanity Checks for RSA_new_method() in OpenSSL-1.0.2g

Hello All, In reviewing source code in directory 'engines', file 'e_4758cca.c', there are two calls to function 'RSA_new_method()' which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- e_4758cca.c.orig2016-03-06

[openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g

Hello All, In reviewing code in directory 'engines/ccgost', file 'gost2001.c', there are two calls to BN_new() which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- gost2001.c.orig 2016-03-06 11:32:49.676178425

[openssl-dev] [openssl.org #4383] [PATCH] Add error checking for bn2_expand()/BN_new()/RSA_new_method() in file 'e_chil.c' for OpenSSL-1.0.2g

Hello All, In reviewing source code in directory 'crypto/engines', file 'e_chil.c' there are some comments warning to check for error when bn_expand2() or BN_new() or RSA_new_method() is called. The patch file below adds the requested checks to the code: --- e_chil.c.orig 2016-03-06

Re: [openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g

3031 7217 > Oracle Australia > > On Mon, 7 Mar 2016 05:55:23 PM Bill Parker via RT wrote: > > Hello All, > > > > In reviewing code in directory 'engines/ccgost', file 'gost2001.c', > > there are two calls to BN_new() which are not checked for a return > >

[openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476)

Hello All, In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c', there is a call to OPENSSL_realloc() which is NOT checked for a return value of NULL, indicating failure. However, the statement after this is memcpy(), which if the destination variable is NULL, will result in a