diff options
author | Hanno Böck <hanno@hboeck.de> | 2015-05-11 11:33:37 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-05-13 15:23:57 +0100 |
commit | 2b8dc08b74fc3c6d4c2fc855cc23bac691d985be (patch) | |
tree | 5ace6bdeee218949e1c49ca04d8cbddee7a8afad /crypto/objects/obj_dat.c | |
parent | c3d734701cd57575856bf9b542446811518dd28c (diff) | |
download | openssl-2b8dc08b74fc3c6d4c2fc855cc23bac691d985be.zip openssl-2b8dc08b74fc3c6d4c2fc855cc23bac691d985be.tar.gz openssl-2b8dc08b74fc3c6d4c2fc855cc23bac691d985be.tar.bz2 |
Call of memcmp with null pointers in obj_cmp()
The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.
This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem
What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.
RT#3816
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/objects/obj_dat.c')
-rw-r--r-- | crypto/objects/obj_dat.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 3df7ff2..6a068ee 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -380,6 +380,8 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) j = (a->length - b->length); if (j) return (j); + if (a->length == 0) + return 0; return (memcmp(a->data, b->data, a->length)); } |