The branch master has been updated
via 7f07149d25f8d7e00e9350ff2f064a4d25c1a13d (commit)
from 20967afb7f4a2613a6d7230bcbdf99140bccd677 (commit)
- Log -----------------------------------------------------------------
commit 7f07149d25f8d7e00e9350ff2f064a4d25c1a13d
Author: Guido Vranken <guidovran...@gmail.com>
Date: Mon Feb 13 01:36:43 2017 +0100
Prevent allocations of size 0 in sh_init, which are not possible with the
default OPENSSL_zalloc, but are possible if the user has installed their own
allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the
secure heap code will later access (at least) the first byte of that space,
which is technically an OOB access. This could lead to problems with some
custom allocators that only return a valid pointer for subsequent free()-ing,
and do not expect that the pointer is actually dereferenced.
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)
-----------------------------------------------------------------------
Summary of changes:
crypto/mem_sec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 4ccff34..0c79b43 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -356,6 +356,10 @@ static int sh_init(size_t size, int minsize)
sh.minsize = minsize;
sh.bittable_size = (sh.arena_size / sh.minsize) * 2;
+ /* Prevent allocations of size 0 later on */
+ if (sh.bittable_size >> 3 == 0)
+ goto err;
+
sh.freelist_size = -1;
for (i = sh.bittable_size; i; i >>= 1)
sh.freelist_size++;
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
