[OE-core] [PATCH] openssl: avoid NULL pointer dereference in three places

Xufeng Zhang xufeng.zhang at windriver.com
Tue Jun 4 06:18:40 UTC 2013 

On 06/04/2013 02:15 PM, Xufeng Zhang wrote:
> There are three potential NULL pointer dereference in
> EVP_DigestInit_ex(), dh_pub_encode() and dsa_pub_encode()
> functions.
> Fix them by adding proper null pointer check.
>
> [YOCTO #4600]
> [ CQID: WIND00373257 ]
>
> Signed-off-by: Xufeng Zhang<xufeng.zhang at windriver.com>
> ---
>   ...-pointer-dereference-in-EVP_DigestInit_ex.patch |   16 +++++++++
>   ...NULL-pointer-dereference-in-dh_pub_encode.patch |   34 ++++++++++++++++++++
>   meta/recipes-connectivity/openssl/openssl.inc      |    2 +-
>   .../recipes-connectivity/openssl/openssl_1.0.1e.bb |    2 +
>   4 files changed, 53 insertions(+), 1 deletions(-)
>   create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
>   create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
>
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> new file mode 100644
> index 0000000..69924a4
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch
> @@ -0,0 +1,16 @@
> +openssl: avoid NULL pointer dereference in EVP_DigestInit_ex()
> +
> +We should avoid accessing the type pointer if it's NULL,
> +this could happen if ctx->digest is not NULL.
> +---
> +--- a/crypto/evp/digest.c
> ++++ b/crypto/evp/digest.c
> +@@ -199,7 +199,7 @@
> + 		return 0;
> + 		}
> + #endif
> +-	if (ctx->digest != type)
> ++	if (type&&  (ctx->digest != type))
> + 		{
> + 		if (ctx->digest&&  ctx->digest->ctx_size)
> + 			OPENSSL_free(ctx->md_data);
> diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
> new file mode 100644
> index 0000000..642b0ea
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
> @@ -0,0 +1,34 @@
> +openssl: avoid NULL pointer dereference in dh_pub_encode()/dsa_pub_encode()
> +
> +We should avoid accessing the pointer if ASN1_STRING_new()
> +allocates memory failed.
> +---
> +--- a/crypto/dh/dh_ameth.c
> ++++ b/crypto/dh/dh_ameth.c
> +@@ -139,6 +139,12 @@
> + 	dh=pkey->pkey.dh;
> +
> + 	str = ASN1_STRING_new();
> ++	if (!str)
> ++		{
> ++		DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
> ++		goto err;
> ++		}
> ++
> + 	str->length = i2d_DHparams(dh,&str->data);
> + 	if (str->length<= 0)
> + 		{
> +--- a/crypto/dsa/dsa_ameth.c
> ++++ b/crypto/dsa/dsa_ameth.c
> +@@ -148,6 +148,11 @@
> + 		{
> + 		ASN1_STRING *str;
> + 		str = ASN1_STRING_new();
> ++		if (!str)
> ++			{
> ++			DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
> ++			goto err;
> ++			}
> + 		str->length = i2d_DSAparams(dsa,&str->data);
> + 		if (str->length<= 0)
> + 			{
> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
> index f5b2432..c753a27 100644
> --- a/meta/recipes-connectivity/openssl/openssl.inc
> +++ b/meta/recipes-connectivity/openssl/openssl.inc
> @@ -5,7 +5,7 @@ BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
>   SECTION = "libs/network"
>
>   # Big Jump for OpenSSL 1.0 support with meta-oe
> -INC_PR = "r15"
> +INC_PR = "r16"
>
>   # "openssl | SSLeay" dual license
>   LICENSE = "openssl"
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> index 61de3a6..afd5576 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb
> @@ -31,6 +31,8 @@ SRC_URI += "file://configure-targets.patch \
>               file://openssl_fix_for_x32.patch \
>               file://openssl-fix-doc.patch \
>               file://find.pl \
> +	    file://openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch \
> +	    file://openssl-avoid-NULL-pointer-dereference-in-EVP_DigestInit_ex.patch \
>    
Looks like I have broken the alignment here, I'll change them when I 
send V2 patch.



Thanks,
Xufeng



>              "
>
>   SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
>

More information about the Openembedded-core mailing list