From: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Date: Wed, 20 Mar 2019 23:56:36 +0000 (+0100)
Subject: trace: fix out-of-bound memory access
X-Git-Tag: openssl-3.0.0-alpha1~2271
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6a411436a5642a4c2ca934a649eced7118f3793d;p=oweals%2Fopenssl.git

trace: fix out-of-bound memory access

When OSSL_trace_get_category_num() is called with an unknown category
name, it returns -1. This case needs to be considered in order to
avoid out-of-bound memory access to the `trace_channels` array.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8552)
---

diff --git a/crypto/trace.c b/crypto/trace.c
index 6299a688be..5e2fec299a 100644
--- a/crypto/trace.c
+++ b/crypto/trace.c
@@ -431,7 +431,8 @@ int OSSL_trace_enabled(int category)
     int ret = 0;
 #ifndef OPENSSL_NO_TRACE
     category = ossl_trace_get_category(category);
-    ret = trace_channels[category].bio != NULL;
+    if (category >= 0)
+        ret = trace_channels[category].bio != NULL;
 #endif
     return ret;
 }
@@ -443,6 +444,9 @@ BIO *OSSL_trace_begin(int category)
     char *prefix = NULL;
 
     category = ossl_trace_get_category(category);
+    if (category < 0)
+        return NULL;
+
     channel = trace_channels[category].bio;
     prefix = trace_channels[category].prefix;