Hello, I'm a researcher at Stanford working on the UC-KLEE bug-finding/verification tool. Our tool discovered a bug introduced in patch c0b31ccb87679783c355616aa7c6c6e97eeb9c5d (March 2012) that appears to still affect the latest 1.0.1 and 1.0.2 branches.
The offending code from engines/ccgost/gost_ameth.c is (* denotes executed
lines):
--> fails to initialize 'alg':
272: X509_ALGOR *alg;
* 273: ASN1_STRING * params = encode_gost_algor_params(pkey);
* 274: if (!params)
275: {
276: return -1;
277: }
--> should set alg, but may not:
* 278: CMS_RecipientInfo_ktri_get0_algs((CMS_RecipientInfo *)arg2, NULL,
NULL, &alg);
--> dereferences alg->parameter:
* 279: X509_ALGOR_set0(alg, OBJ_nid2obj(pkey->type),
When CMS_RecipientInfo_ktri_get0_algs() is passed an invalid CMS_RecipientInfo
arg2 (ri->type != CMS_RECIPINFO_TRANS), the function does not set 'alg'. The
code then passes this uninitialized pointer to X509_ALGOR_set0(), which reads
from alg->parameter.
Attached is a proposed fix, which initializes 'alg' to NULL, as done by the
analogous code in rsa_pkey_ctrl() and pkey_rsa_ctrl().
Thanks,
-David
gost-uninitialized-ptr-write.patch
Description: Binary data
