[openssl.org #3411] Fixed possible null pointers if malloc fails

[Kurt Cancemi via RT]

Hello,

The attached patch fixes possible null pointers if malloc fails. This
was reported by qualitesys
(http://marc.info/?l=openssl-dev&m=140243635405343), and I created the
fix (no repeat of what happened last time).

Regards,

Kurt Cancemi


>From 033ce19ea9268a81410cd1e07f628dee43dcc3ad Mon Sep 17 00:00:00 2001
From: Kurt Cancemi <k...@x64architecture.com>
Date: Mon, 23 Jun 2014 02:17:47 -0400
Subject: [PATCH] Fixed possible null pointers if malloc fails.

Found by qualitesys.
---
 ssl/d1_both.c  | 7 +++++++
 ssl/s3_enc.c   | 5 +++++
 ssl/ssl_ciph.c | 5 +++++
 ssl/ssl_sess.c | 5 +++++
 4 files changed, 22 insertions(+)

diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 51d484d..e559cbf 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -1371,6 +1371,13 @@ dtls1_process_heartbeat(SSL *s)
 		 * payload, plus padding
 		 */
 		buffer = OPENSSL_malloc(write_length);
+		
+		if (buffer == NULL)
+			{
+			SSLerr(SSL_F_DTLS1_HEARTBEAT,ERR_R_MALLOC_FAILURE);
+			return 0;
+			}
+
 		bp = buffer;
 
 		/* Enter response type, length and copy payload */
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 6c103a0..7b6c65b 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -617,6 +617,11 @@ int ssl3_digest_cached_records(SSL *s)
 	/* Allocate handshake_dgst array */
 	ssl3_free_digest_list(s);
 	s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
+	if (s->s3->handshake_dgst == NULL)
+		{
+		SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
 	memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
 	hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
 	if (hdatalen <= 0)
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index ad9b762..8d37aa2 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1951,6 +1951,11 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
 
 	MemCheck_off();
 	comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+	if (comp == NULL)
+		{
+		SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,ERR_R_MALLOC_FAILURE);
+		return(1);
+		}
 	comp->id=id;
 	comp->method=cm;
 	load_builtin_compressions();
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 73d87fd..0d5d43f 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -788,6 +788,11 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
                     session->krb5_client_princ_len > 0)
                 {
                     s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1);
+					if (s->kssl_ctx->client_princ == NULL)
+						{
+						SSLerr(SSL_F_SSL_SET_SESSION,ERR_R_MALLOC_FAILURE);
+						return(0);
+						}
                     memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ,
                             session->krb5_client_princ_len);
                     s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
-- 
2.0.0