The cryptographic engineering team at Blue Coat systems is conducting a review
of OpenSSL and have found the following minor bug. We would appreciate your
consideration.
Observe the following lines in evp_enc.c:
if (in->cipher_data && in->cipher->ctx_size) {
out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
if (!out->cipher_data) {
EVPerr(EVP_F_EVP_CIPHER_CTX_COPY, ERR_R_MALLOC_FAILURE);
return 0;
}
memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
}
if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY)
return in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out);
Note that in->cipher data is checked for NULL, which implies that
in->cipher_data can be NULL. Now, take a look at function ads_ccm_ctrl, which
is what in->cipher_ctrl points to:
static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
EVP_AES_CCM_CTX *cctx = c->cipher_data;
switch (type) {
case EVP_CTRL_INIT:
cctx->key_set = 0;
cctx->iv_set = 0;
cctx->L = 8;
cctx->M = 12;
cctx->tag_set = 0;
cctx->len_set = 0;
return 1;
Note that c->cipher_data has been dereferenced, even though it may be NULL.
Thanks,
Harold Stuart
Senior Staff Engineer
Blue Coat Systems, Inc.
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
