Hello, Our UC-KLEE tool found a NULL function pointer call in the latest OpenSSL 1.0.1 (and probably other versions) in n_ssl3_mac() (ssl/s3_enc.c) caused by an unchecked return value from EVP_MD_CTX_copy_ex().
The offending code from n_ssl3_mac() is: EVP_MD_CTX_init(&md_ctx); EVP_MD_CTX_copy_ex( &md_ctx,hash); EVP_DigestUpdate(&md_ctx,mac_sec,md_size); The call to EVP_DigestUpdate() invokes the function pointer md_ctx.update(). If EVP_MD_CTX_copy_ex() returns 0 for any of a number of reasons, this function pointer is set to 0, causing EVP_DigestUpdate() to invoke a NULL function pointer. >From grepping around the OpenSSL codebase, similar bugs exist at other >unchecked uses of EVP_MD_CTX_copy_ex. It's not clear to me whether an attacker >could force this function to fail. Attached is a suggested patch, but fixes may be necessary at other call sites. Thanks, -David
n_ssl3_mac-null-func-ptr-call.patch
Description: Binary data
