You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
106 lines
2.9 KiB
106 lines
2.9 KiB
From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001 |
|
From: Matt Caswell <matt@openssl.org> |
|
Date: Tue, 13 Dec 2022 14:54:55 +0000 |
|
Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for |
|
PEM_read_bio_ex |
|
|
|
In the event of a failure in PEM_read_bio_ex() we free the buffers we |
|
allocated for the header and data buffers. However we were not clearing |
|
the ptrs stored in *header and *data. Since, on success, the caller is |
|
responsible for freeing these ptrs this can potentially lead to a double |
|
free if the caller frees them even on failure. |
|
|
|
Thanks to Dawei Wang for reporting this issue. |
|
|
|
Based on a proposed patch by Kurt Roeckx. |
|
|
|
CVE-2022-4450 |
|
|
|
Reviewed-by: Paul Dale <pauli@openssl.org> |
|
Reviewed-by: Hugo Landau <hlandau@openssl.org> |
|
--- |
|
crypto/pem/pem_lib.c | 2 ++ |
|
1 file changed, 2 insertions(+) |
|
|
|
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c |
|
index f9ff80162a..85c47fb627 100644 |
|
--- a/crypto/pem/pem_lib.c |
|
+++ b/crypto/pem/pem_lib.c |
|
@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, |
|
|
|
out_free: |
|
pem_free(*header, flags, 0); |
|
+ *header = NULL; |
|
pem_free(*data, flags, 0); |
|
+ *data = NULL; |
|
end: |
|
EVP_ENCODE_CTX_free(ctx); |
|
pem_free(name, flags, 0); |
|
-- |
|
2.39.1 |
|
|
|
From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001 |
|
From: Matt Caswell <matt@openssl.org> |
|
Date: Tue, 13 Dec 2022 15:02:26 +0000 |
|
Subject: [PATCH 05/18] Add a test for CVE-2022-4450 |
|
|
|
Call PEM_read_bio_ex() and expect a failure. There should be no dangling |
|
ptrs and therefore there should be no double free if we free the ptrs on |
|
error. |
|
|
|
Reviewed-by: Paul Dale <pauli@openssl.org> |
|
Reviewed-by: Hugo Landau <hlandau@openssl.org> |
|
--- |
|
test/pemtest.c | 30 ++++++++++++++++++++++++++++++ |
|
1 file changed, 30 insertions(+) |
|
|
|
diff --git a/test/pemtest.c b/test/pemtest.c |
|
index a8d2d49bb5..a5d28cb256 100644 |
|
--- a/test/pemtest.c |
|
+++ b/test/pemtest.c |
|
@@ -96,6 +96,35 @@ static int test_cert_key_cert(void) |
|
return 1; |
|
} |
|
|
|
+static int test_empty_payload(void) |
|
+{ |
|
+ BIO *b; |
|
+ static char *emptypay = |
|
+ "-----BEGIN CERTIFICATE-----\n" |
|
+ "-\n" /* Base64 EOF character */ |
|
+ "-----END CERTIFICATE-----"; |
|
+ char *name = NULL, *header = NULL; |
|
+ unsigned char *data = NULL; |
|
+ long len; |
|
+ int ret = 0; |
|
+ |
|
+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); |
|
+ if (!TEST_ptr(b)) |
|
+ return 0; |
|
+ |
|
+ /* Expected to fail because the payload is empty */ |
|
+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) |
|
+ goto err; |
|
+ |
|
+ ret = 1; |
|
+ err: |
|
+ OPENSSL_free(name); |
|
+ OPENSSL_free(header); |
|
+ OPENSSL_free(data); |
|
+ BIO_free(b); |
|
+ return ret; |
|
+} |
|
+ |
|
int setup_tests(void) |
|
{ |
|
if (!TEST_ptr(pemfile = test_get_argument(0))) |
|
@@ -103,5 +132,6 @@ int setup_tests(void) |
|
ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); |
|
ADD_TEST(test_invalid); |
|
ADD_TEST(test_cert_key_cert); |
|
+ ADD_TEST(test_empty_payload); |
|
return 1; |
|
} |
|
-- |
|
2.39.1 |
|
|
|
|