root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Add more negative checks for integers passed to OPENSSL_malloc(). 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)
This commit is contained in:
Shane Lontis 2021-04-12 13:58:14 +10:00
parent 34ed733396
commit 42e7d2f10e
18 changed files with 49 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/lib/app_x509.c
View File

@ -26,7 +26,7 @@ static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
if (v == NULL) {
BIO_printf(bio_err, "error: allocation failed\n");
} else if (!ASN1_OCTET_STRING_set(v, value, value_n)) {
} else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
ASN1_OCTET_STRING_free(v);
v = NULL;
}

3
crypto/asn1/a_dup.c
View File

@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
return NULL;
i = i2d(x, NULL);
if (i <= 0)
return NULL;
b = OPENSSL_malloc(i + 10);
if (b == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);

6
crypto/asn1/a_int.c
View File

@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
ASN1_INTEGER *ret = NULL;
const unsigned char *p;
unsigned char *s;
long len;
long len = 0;
int inf, tag, xclass;
int i;
@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
goto err;
}
if (len < 0) {
i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
goto err;
}
/*
* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
* a missing NULL parameter.

2
crypto/asn1/a_mbstr.c
View File

@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
len = strlen((const char *)in);
if (!mask)
mask = DIRSTRING_TYPE;
if (len < 0)
return -1;
/* First do a string check and work out the number of characters */
switch (inform) {

2
crypto/asn1/bio_asn1.c
View File

@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
{
if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}

2
crypto/asn1/p5_pbe.c
View File

@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
}
if (!saltlen)
saltlen = PKCS5_SALT_LEN;
if (saltlen < 0)
goto err;
sstr = OPENSSL_malloc(saltlen);
if (sstr == NULL) {

2
crypto/asn1/p5_pbev2.c
View File

@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
kdf->salt->value.octet_string = osalt;
kdf->salt->type = V_ASN1_OCTET_STRING;
if (saltlen < 0)
goto merr;
if (saltlen == 0)
saltlen = PKCS5_SALT_LEN;
if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)

2
crypto/asn1/tasn_utl.c
View File

@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
return 1;
OPENSSL_free(enc->enc);
if (inlen <= 0)
return 0;
if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;

10
crypto/bio/bf_buff.c
View File

@ -289,7 +289,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
break;
case BIO_C_SET_BUFF_READ_DATA:
if (num > ctx->ibuf_size) {
p1 = OPENSSL_malloc((int)num);
if (num <= 0)
return 0;
p1 = OPENSSL_malloc((size_t)num);
if (p1 == NULL)
goto malloc_error;
OPENSSL_free(ctx->ibuf);
@ -318,12 +320,14 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
p1 = ctx->ibuf;
p2 = ctx->obuf;
if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) {
p1 = OPENSSL_malloc((int)num);
if (num <= 0)
return 0;
p1 = OPENSSL_malloc((size_t)num);
if (p1 == NULL)
goto malloc_error;
}
if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) {
p2 = OPENSSL_malloc((int)num);
p2 = OPENSSL_malloc((size_t)num);
if (p2 == NULL) {
if (p1 != ctx->ibuf)
OPENSSL_free(p1);

4
crypto/bio/bf_lbuf.c
View File

@ -235,7 +235,9 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr)
obs = (int)num;
p = ctx->obuf;
if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) {
p = OPENSSL_malloc((int)num);
if (num <= 0)
return 0;
p = OPENSSL_malloc((size_t)num);
if (p == NULL)
goto malloc_error;
}

2
crypto/bio/bss_log.c
View File

@ -196,6 +196,8 @@ static int slg_write(BIO *b, const char *in, int inl)
/* The default */
};
if (inl < 0)
return 0;
if ((buf = OPENSSL_malloc(inl + 1)) == NULL) {
ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
return 0;

4
crypto/ess/ess_lib.c
View File

@ -223,6 +223,8 @@ int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
int len;
len = i2d_ESS_SIGNING_CERT(sc, NULL);
if (len <= 0)
goto err;
if ((pp = OPENSSL_malloc(len)) == NULL) {
ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
goto err;
@ -251,6 +253,8 @@ int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc)
unsigned char *p, *pp = NULL;
int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
if (len <= 0)
goto err;
if ((pp = OPENSSL_malloc(len)) == NULL) {
ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
goto err;

2
crypto/pkcs12/p12_mutl.c
View File

@ -234,6 +234,8 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
}
if (!saltlen)
saltlen = PKCS12_SALT_LEN;
if (saltlen < 0)
return 0;
if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
return 0;

5
crypto/pkcs12/p12_utl.c
View File

@ -21,6 +21,8 @@ unsigned char *OPENSSL_asc2uni(const char *asc, int asclen,
if (asclen == -1)
asclen = strlen(asc);
if (asclen < 0)
return NULL;
ulen = asclen * 2 + 2;
if ((unitmp = OPENSSL_malloc(ulen)) == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_MALLOC_FAILURE);
@ -44,9 +46,12 @@ char *OPENSSL_uni2asc(const unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
/* string must contain an even number of bytes */
if (unilen & 1)
return NULL;
if (unilen < 0)
return NULL;
asclen = unilen / 2;
/* If no terminating zero allow for one */
if (!unilen || uni[unilen - 1])

2
crypto/x509/t_x509.c
View File

@ -236,6 +236,8 @@ int X509_ocspid_print(BIO *bp, X509 *x)
goto err;
subj = X509_get_subject_name(x);
derlen = i2d_X509_NAME(subj, NULL);
if (derlen <= 0)
goto err;
if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL)
goto err;
i2d_X509_NAME(subj, &dertmp);

2
crypto/x509/v3_conf.c
View File

@ -154,6 +154,8 @@ static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
unsigned char *p;
ext_len = method->i2d(ext_struc, NULL);
if (ext_len <= 0)
goto merr;
if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
goto merr;
p = ext_der;

2
crypto/x509/v3_ia5.c
View File

@ -29,7 +29,7 @@ char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
{
char *tmp;
if (ia5 == NULL || ia5->length == 0)
if (ia5 == NULL || ia5->length <= 0)
return NULL;
if ((tmp = OPENSSL_malloc(ia5->length + 1)) == NULL) {
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);

3
crypto/x509/x509spki.c
View File

@ -58,7 +58,10 @@ char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki)
unsigned char *der_spki, *p;
char *b64_str;
int der_len;
der_len = i2d_NETSCAPE_SPKI(spki, NULL);
if (der_len <= 0)
return NULL;
der_spki = OPENSSL_malloc(der_len);
b64_str = OPENSSL_malloc(der_len * 2);
if (der_spki == NULL || b64_str == NULL) {