Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file 'ssl_ciph.c', in function ''SSL_COMP_add_compression_method()'', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure.
The patch file below should address/correct this issue: --- ssl_ciph.c.orig 2016-03-02 17:39:01.677826126 -0800 +++ ssl_ciph.c 2016-03-02 17:40:51.942840242 -0800 @@ -1996,6 +1996,8 @@ MemCheck_off(); comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp == NULL) + return 1; comp->id = id; comp->method = cm; load_builtin_compressions(); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/bio', file 'bss_rtcp.c', in function 'rtcp_new()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- bss_rtcp.c.orig 2016-03-02 15:25:08.307826108 -0800 +++ bss_rtcp.c 2016-03-02 15:25:47.326785217 -0800 @@ -170,6 +170,8 @@ bi->num = 0; bi->flags = 0; bi->ptr = OPENSSL_malloc(sizeof(struct rpc_ctx)); + if (bi->ptr == NULL) + return (0); ctx = (struct rpc_ctx *)bi->ptr; ctx->filled = 0; ctx->pos = 0; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'apps', file 'apps.c', in function 'args_from_file()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- apps.c.orig 2016-03-02 15:27:24.293109138 -0800 +++ apps.c 2016-03-02 15:27:48.108135906 -0800 @@ -215,7 +215,8 @@ if (arg != NULL) OPENSSL_free(arg); arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2)); - + if (arg == NULL) + return (0); *argv = arg; num = 0; p = buf; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/x509', file 'by_dir.c', in function 'get_cert_by_subject()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- by_dir.c.orig 2016-03-02 15:29:32.361385958 -0800 +++ by_dir.c 2016-03-02 15:30:04.762503973 -0800 @@ -401,6 +401,10 @@ } if (!hent) { hent = OPENSSL_malloc(sizeof(BY_DIR_HASH)); + if (hent == NULL) { + X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); + goto finish; + } hent->hash = h; hent->suffix = k; if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'engines', file 'e_capi.c', in function 'capi_get_provname()', there is a call to OPENSSL_malloc() or alloca() which is not checked for a return value of NULL, indicating failure. In function 'capi_cert_get_fname()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. In function '*capi_get_key()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- e_capi.c.orig 2016-03-02 15:31:15.011432251 -0800 +++ e_capi.c 2016-03-02 15:35:24.264110984 -0800 @@ -1106,6 +1106,10 @@ name = alloca(len); else name = OPENSSL_malloc(len); + if (name == NULL) { + CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE); + return 0; + } if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) { err = GetLastError(); if (err == ERROR_NO_MORE_ITEMS) @@ -1286,6 +1290,10 @@ (cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen)) return NULL; wfname = OPENSSL_malloc(dlen); + if (wfname == NULL) { + CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, ERR_R_MALLOC_FAILURE); + return NULL; + } if (CertGetCertificateContextProperty (cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) { char *fname = wide_to_asc(wfname); @@ -1436,6 +1444,11 @@ CAPI_KEY *key; DWORD dwFlags = 0; key = OPENSSL_malloc(sizeof(CAPI_KEY)); + if (key == NULL) { + CAPIerr(CAPI_F_CAPI_GET_KEY, ERR_R_MALLOC_FAILURE); + capi_addlasterror(); + goto err; + } if (sizeof(TCHAR) == sizeof(char)) CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", contname, provname, ptype); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/jpake', file 'jpake.c', in function 'PAKE_CTX_new()', there is a call to OPENSSL_malloc() or alloca() which is not checked for a return value of NULL, indicating failure. In function 'hashbn()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- jpake.c.orig 2016-03-02 16:33:13.494032268 -0800 +++ jpake.c 2016-03-02 16:34:37.809748362 -0800 @@ -116,6 +116,8 @@ const BIGNUM *secret) { JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx); + if (ctx == NULL) + return NULL; JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret); @@ -150,6 +152,8 @@ { size_t l = BN_num_bytes(bn); unsigned char *bin = OPENSSL_malloc(l); + if (bin == NULL) + return NULL; /* oops, memory allocation failed... */ hashlength(sha, l); BN_bn2bin(bn, bin); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file 't1_lib.c', in function 'tls1_process_heartbeat()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. In function 'tls1_heartbeat()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- t1_lib.c.orig 2016-03-02 17:59:59.042630727 -0800 +++ t1_lib.c 2016-03-02 18:01:33.275607253 -0800 @@ -3856,6 +3856,8 @@ * plus 2 bytes payload length, plus payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); + if (!buffer) + return -1; bp = buffer; /* Enter response type, length and copy payload */ @@ -3942,6 +3944,8 @@ * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); + if (!buf) + return -1; p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file 'asn_mime.c', in function 'multi_split()', there is a call to BIO_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- asn_mime.c.orig 2016-03-03 09:50:57.496613461 -0800 +++ asn_mime.c 2016-03-03 09:52:36.254165038 -0800 @@ -623,6 +623,8 @@ if (bpart) sk_BIO_push(parts, bpart); bpart = BIO_new(BIO_s_mem()); + if (!bpart) + return 1; BIO_set_mem_eof_return(bpart, 0); } else if (eol) BIO_write(bpart, "\r\n", 2); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file 'pk7_doit.c', in function 'PKCS7_dataDecode()', there is a call to BIO_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- pk7_doit.c.orig 2016-03-03 10:08:08.316625383 -0800 +++ pk7_doit.c 2016-03-03 10:09:19.093620776 -0800 @@ -642,6 +642,8 @@ } else { # if 0 bio = BIO_new(BIO_s_mem()); + if (bio == NULL) + goto err; /* * We need to set this so that when we have read all the data, the * encrypt BIO, if present, will read EOF and encode the last few ======================================================================= -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4375 Please log in as guest with password guest if prompted
ssl_ciph.c.patch
Description: Binary data
apps.c.patch
Description: Binary data
by_dir.c.patch
Description: Binary data
bss_rtcp.c.patch
Description: Binary data
e_capi.c.patch
Description: Binary data
jpake.c.patch
Description: Binary data
t1_lib.c.patch
Description: Binary data
asn_mime.c.patch
Description: Binary data
pk7_doit.c.patch
Description: Binary data
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev