|
 |
877dfe |
From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001
|
|
|
877dfe |
From: Matt Caswell <matt@openssl.org>
|
|
|
877dfe |
Date: Tue, 13 Dec 2022 14:54:55 +0000
|
|
|
877dfe |
Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for
|
|
|
877dfe |
PEM_read_bio_ex
|
|
|
877dfe |
|
|
|
877dfe |
In the event of a failure in PEM_read_bio_ex() we free the buffers we
|
|
|
877dfe |
allocated for the header and data buffers. However we were not clearing
|
|
|
877dfe |
the ptrs stored in *header and *data. Since, on success, the caller is
|
|
|
877dfe |
responsible for freeing these ptrs this can potentially lead to a double
|
|
|
877dfe |
free if the caller frees them even on failure.
|
|
|
877dfe |
|
|
|
877dfe |
Thanks to Dawei Wang for reporting this issue.
|
|
|
877dfe |
|
|
|
877dfe |
Based on a proposed patch by Kurt Roeckx.
|
|
|
877dfe |
|
|
|
877dfe |
CVE-2022-4450
|
|
|
877dfe |
|
|
|
877dfe |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
877dfe |
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
|
877dfe |
---
|
|
|
877dfe |
crypto/pem/pem_lib.c | 2 ++
|
|
|
877dfe |
1 file changed, 2 insertions(+)
|
|
|
877dfe |
|
|
|
877dfe |
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
|
|
|
877dfe |
index d416d939ea..328c30cdbb 100644
|
|
|
877dfe |
--- a/crypto/pem/pem_lib.c
|
|
|
877dfe |
+++ b/crypto/pem/pem_lib.c
|
|
|
877dfe |
@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header,
|
|
|
877dfe |
*data = pem_malloc(len, flags);
|
|
|
877dfe |
if (*header == NULL || *data == NULL) {
|
|
|
877dfe |
pem_free(*header, flags, 0);
|
|
|
877dfe |
+ *header = NULL;
|
|
|
877dfe |
pem_free(*data, flags, 0);
|
|
|
877dfe |
+ *data = NULL;
|
|
|
877dfe |
goto end;
|
|
|
877dfe |
}
|
|
|
877dfe |
BIO_read(headerB, *header, headerlen);
|
|
|
877dfe |
--
|
|
|
877dfe |
2.39.1
|
|
|
877dfe |
|
|
|
877dfe |
From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001
|
|
|
877dfe |
From: Matt Caswell <matt@openssl.org>
|
|
|
877dfe |
Date: Tue, 13 Dec 2022 15:02:26 +0000
|
|
|
877dfe |
Subject: [PATCH 3/6] Add a test for CVE-2022-4450
|
|
|
877dfe |
|
|
|
877dfe |
Call PEM_read_bio_ex() and expect a failure. There should be no dangling
|
|
|
877dfe |
ptrs and therefore there should be no double free if we free the ptrs on
|
|
|
877dfe |
error.
|
|
|
877dfe |
|
|
|
877dfe |
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
|
877dfe |
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
|
877dfe |
---
|
|
|
877dfe |
test/pemtest.c | 30 ++++++++++++++++++++++++++++++
|
|
|
877dfe |
1 file changed, 30 insertions(+)
|
|
|
877dfe |
|
|
|
877dfe |
diff --git a/test/pemtest.c b/test/pemtest.c
|
|
|
877dfe |
index 3203d976be..edeb0a1205 100644
|
|
|
877dfe |
--- a/test/pemtest.c
|
|
|
877dfe |
+++ b/test/pemtest.c
|
|
|
877dfe |
@@ -83,9 +83,39 @@ static int test_invalid(void)
|
|
|
877dfe |
return 1;
|
|
|
877dfe |
}
|
|
|
877dfe |
|
|
|
877dfe |
+static int test_empty_payload(void)
|
|
|
877dfe |
+{
|
|
|
877dfe |
+ BIO *b;
|
|
|
877dfe |
+ static char *emptypay =
|
|
|
877dfe |
+ "-----BEGIN CERTIFICATE-----\n"
|
|
|
877dfe |
+ "-\n" /* Base64 EOF character */
|
|
|
877dfe |
+ "-----END CERTIFICATE-----";
|
|
|
877dfe |
+ char *name = NULL, *header = NULL;
|
|
|
877dfe |
+ unsigned char *data = NULL;
|
|
|
877dfe |
+ long len;
|
|
|
877dfe |
+ int ret = 0;
|
|
|
877dfe |
+
|
|
|
877dfe |
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay));
|
|
|
877dfe |
+ if (!TEST_ptr(b))
|
|
|
877dfe |
+ return 0;
|
|
|
877dfe |
+
|
|
|
877dfe |
+ /* Expected to fail because the payload is empty */
|
|
|
877dfe |
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
|
|
|
877dfe |
+ goto err;
|
|
|
877dfe |
+
|
|
|
877dfe |
+ ret = 1;
|
|
|
877dfe |
+ err:
|
|
|
877dfe |
+ OPENSSL_free(name);
|
|
|
877dfe |
+ OPENSSL_free(header);
|
|
|
877dfe |
+ OPENSSL_free(data);
|
|
|
877dfe |
+ BIO_free(b);
|
|
|
877dfe |
+ return ret;
|
|
|
877dfe |
+}
|
|
|
877dfe |
+
|
|
|
877dfe |
int setup_tests(void)
|
|
|
877dfe |
{
|
|
|
877dfe |
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
|
|
|
877dfe |
ADD_TEST(test_invalid);
|
|
|
877dfe |
+ ADD_TEST(test_empty_payload);
|
|
|
877dfe |
return 1;
|
|
|
877dfe |
}
|
|
|
877dfe |
--
|
|
|
877dfe |
2.39.1
|
|
|
877dfe |
|