From: Guido Vranken Date: Mon, 13 Feb 2017 00:36:43 +0000 (+0100) Subject: Prevent allocations of size 0 in sh_init, which are not possible with the default... X-Git-Tag: OpenSSL_1_1_1-pre1~2404 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=7f07149d25f8d7e00e9350ff2f064a4d25c1a13d;p=oweals%2Fopenssl.git Prevent allocations of size 0 in sh_init, which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2605) --- diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c index 4ccff34e5e..0c79b43658 100644 --- a/crypto/mem_sec.c +++ b/crypto/mem_sec.c @@ -356,6 +356,10 @@ static int sh_init(size_t size, int minsize) sh.minsize = minsize; sh.bittable_size = (sh.arena_size / sh.minsize) * 2; + /* Prevent allocations of size 0 later on */ + if (sh.bittable_size >> 3 == 0) + goto err; + sh.freelist_size = -1; for (i = sh.bittable_size; i; i >>= 1) sh.freelist_size++;