From: Hanno Böck Date: Mon, 11 May 2015 10:33:37 +0000 (+0100) Subject: Call of memcmp with null pointers in obj_cmp() X-Git-Tag: OpenSSL_1_0_1n~63 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=5e0ec9012bae4cc261ec300a0bf1432fbb13ee2a;p=oweals%2Fopenssl.git Call of memcmp with null pointers in obj_cmp() The function obj_cmp() (file crypto/objects/obj_dat.c) can in some situations call memcmp() with a null pointer and a zero length. This is invalid behaviour. When compiling openssl with undefined behaviour sanitizer (add -fsanitize=undefined to compile flags) this can be seen. One example that triggers this behaviour is the pkcs7 command (but there are others, e.g. I've seen it with the timestamp function): apps/openssl pkcs7 -in test/testp7.pem What happens is that obj_cmp takes objects of the type ASN1_OBJECT and passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT structures can have a null pointer as data. RT#3816 Signed-off-by: Matt Caswell Reviewed-by: Rich Salz (cherry picked from commit 2b8dc08b74fc3c6d4c2fc855cc23bac691d985be) --- diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 5cd755d77d..5ff1294d3c 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -400,6 +400,8 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) j = (a->length - b->length); if (j) return (j); + if (a->length == 0) + return 0; return (memcmp(a->data, b->data, a->length)); }