Hello All, In reviewing code in directory 'engines', file 'e_aep.c', there is a call to function 'bn_expand()', but it is not checked for a return value of NULL. However, a member of the variable 'bn' (bn->d) are used in memset()/memcpy() calls, but if 'bn' is NULL, a segmentation fault/violation will occur.
The patch file below checks for a NULL return from 'bn_expand()', but
I was not sure what should be returned from here (so I kludged something
to fit):
--- e_aep.c.orig 2016-03-06 10:47:23.113646348 -0800
+++ e_aep.c 2016-03-06 10:52:27.991394742 -0800
@@ -1137,7 +1137,9 @@
/*
* Expand the result bn so that it can hold our big num. Size is in
bits
*/
- bn_expand(bn, (int)(BigNumSize << 3));
+ if (!bn_expand(bn, (int)(BigNumSize << 3)) == NULL)
+ /* what should we do here, a new error code, etc? */
+ return 117; /* bn_expand could return NULL, could it not? */
# ifdef SIXTY_FOUR_BIT_LONG
bn->top = BigNumSize >> 3;
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384
Please log in as guest with password guest if prompted
e_aep.c.patch
Description: Binary data
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
