[openssl-dev] [openssl.org #4370] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)

Wed, 02 Mar 2016 09:26:19 -0800 

Hello All,

In reviewing source code in directory 'openssl-1.0.2g/apps', in file
'ca.c', there are a few instances where OPENSSL_malloc() is called, but
immediately afterwards a call to memcpy() is made with the return value
from the call, but the check for NULL is made AFTER the memcpy().

However, if the 1st argument to memcpy() is NULL, a segmentation fault/
violation will occur.  The patch file below should address/correct this
issue:

--- ca.c.orig   2016-03-01 18:08:42.795466224 -0800
+++ ca.c        2016-03-01 18:13:10.149445540 -0800
@@ -2107,6 +2107,10 @@

     tm = X509_get_notAfter(ret);
     row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+    if (row[DB_exp_date] == NULL) {
+       BIO_printf(bio_err, "Memory allocation failure\n");
+       goto err;
+    }
     memcpy(row[DB_exp_date], tm->data, tm->length);
     row[DB_exp_date][tm->length] = '\0';

@@ -2116,7 +2120,7 @@
     row[DB_file] = (char *)OPENSSL_malloc(8);
     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);

-    if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+    if ((row[DB_type] == NULL) ||
         (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto err;
@@ -2375,6 +2379,10 @@

         tm = X509_get_notAfter(x509);
         row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
+       if (row[DB_exp_date] == NULL) {
+           BIO_printf(bio_err, "Memory allocation failure\n");
+           goto err;
+       }
         memcpy(row[DB_exp_date], tm->data, tm->length);
         row[DB_exp_date][tm->length] = '\0';

@@ -2385,8 +2393,7 @@

         /* row[DB_name] done already */

-        if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
-            (row[DB_file] == NULL)) {
+        if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) {
             BIO_printf(bio_err, "Memory allocation failure\n");
             goto err;
         }

=======================================================================

In directory 'openssl-1.0.2g/crypto/engine', file 'eng_cryptodev.c',
there is a call to OPENSSL_malloc() in function 'cryptodev_digest_copy()'
where the return value is not checked for NULL, but immediately afterwards
the statement:

memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);

is processed, but if dstate->mac_data is NULL, this will cause a
segmentation
fault/violation.

The patch file below should address/correct this issue:

--- eng_cryptodev.c.orig        2016-03-01 19:31:03.315380900 -0800
+++ eng_cryptodev.c     2016-03-01 19:32:43.154069884 -0800
@@ -937,6 +937,10 @@
     if (fstate->mac_len != 0) {
         if (fstate->mac_data != NULL) {
             dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+           if (dstate->mac_data == NULL) {
+               printf("cryptodev_digest_init: Memory allocation failed\n");
+               return (0);
+           }
             memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
             dstate->mac_len = fstate->mac_len;
         }


=======================================================================

In directory 'openssl-1.0.2g/crypto/x509v3', in file 'v3_alt.c', there
is a call to OPENSSL_malloc() which is not checked for a return value
of NULL, indicating failure in function 'static int do_othername()',
but immediately afterwards the statement:

strncpy(objtmp, value, objlen);

is processed, but if 'objtmp' is NULL, this will generate a segmentation
fault/violation:

The patch file below should address/correct this issue:

--- v3_alt.c.orig       2016-03-01 19:51:02.114742135 -0800
+++ v3_alt.c    2016-03-01 19:51:52.816186027 -0800
@@ -573,6 +573,8 @@
         return 0;
     objlen = p - value;
     objtmp = OPENSSL_malloc(objlen + 1);
+    if (objtmp == NULL)
+       return 0;
     strncpy(objtmp, value, objlen);
     objtmp[objlen] = 0;
     gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);

=======================================================================

In directory 'openssl-1.0.2g/crypto/ui', in file 'ui_lib.c', there
is a call to OPENSSL_malloc() which is not checked for a return value
of NULL, indicating failure, but immediately afterwards the statement:

BUF_strlcpy(prompt, prompt1, len + 1);

is processed, but if 'prompt' is NULL, this will generate a segmentation
fault/violation:

The patch file below should address/correct this issue:

--- ui_lib.c.orig       2015-09-12 09:05:14.193000000 -0700
+++ ui_lib.c    2015-09-12 09:56:53.328000000 -0700
@@ -413,6 +413,9 @@
         len += sizeof(prompt3) - 1;

         prompt = (char *)OPENSSL_malloc(len + 1);
+       if (prompt == NULL) {
+           return NULL;
+       }
         BUF_strlcpy(prompt, prompt1, len + 1);
         BUF_strlcat(prompt, object_desc, len + 1);
         if (object_name) {

=======================================================================

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4370
Please log in as guest with password guest if prompted

Attachment: ui_lib.c.patch
Description: Binary data

Attachment: v3_alt.c.patch
Description: Binary data

Attachment: eng_cryptodev.c.patch
Description: Binary data

Attachment: ca.c.patch
Description: Binary data

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to