On 04.03.2016 20:33, Bill Parker via RT wrote:
> In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c',
> there is a call to OPENSSL_realloc() which is NOT checked for a return
> value of NULL, indicating failure. However, the statement after this
> is memcpy(), which if the destination variable is NULL, will result
> in a segmentation fault/violation.
>
> The patch file below should address/correct this issue:
>
> --- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800
> +++ openbsd_hw.c 2016-03-03 18:56:58.169567807 -0800
> @@ -364,6 +378,10 @@
> return do_digest(md_data->sess.ses, md_data->md, data, len);
>
> md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len);
> + if (md_data->data == NULL) {
> + err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory");
> + return 0;
> + }
> memcpy(md_data->data + md_data->len, data, len);
> md_data->len += len;
1) After return, it leaves with md_data->data = NULL and (possibly)
md_data->len > 0, so next call to *update or *final will segfault.
2) Leaks old data that was pointed by md_data.
P.S. md5, 3des and rc4. At least, it is not in master already.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
