From 1711a62686e3d55767ba067a4fd1a18ceec69d3f Mon Sep 17 00:00:00 2001 From: dyrock Date: Mon, 15 Apr 2019 11:01:58 -0500 Subject: [PATCH] Check if num is 0 before trying to malloc memory. Otherwise for client hellos without extensions SSL_client_hello_get1_extensions_present will return MALLOC_FAILURE. Reviewed-by: Paul Yang Reviewed-by: Ben Kaduk Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/8756) (cherry picked from commit 6fda11ae5a06e28fd9463e5afb60735d074904b3) --- doc/man3/SSL_CTX_set_client_hello_cb.pod | 2 ++ ssl/ssl_lib.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/doc/man3/SSL_CTX_set_client_hello_cb.pod b/doc/man3/SSL_CTX_set_client_hello_cb.pod index 6824b5b8d1..585127db1b 100644 --- a/doc/man3/SSL_CTX_set_client_hello_cb.pod +++ b/doc/man3/SSL_CTX_set_client_hello_cb.pod @@ -65,6 +65,8 @@ both required, and on success the caller must release the storage allocated for B<*out> using OPENSSL_free(). The contents of B<*out> is an array of integers holding the numerical value of the TLS extension types in the order they appear in the ClientHello. B<*outlen> contains the number of elements in the array. +In situations when the ClientHello has no extensions, the function will return +success with B<*out> set to NULL and B<*outlen> set to 0. =head1 NOTES diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4440a9ffe9..d7e1f328d6 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5070,6 +5070,11 @@ int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen) if (ext->present) num++; } + if (num == 0) { + *out = NULL; + *outlen = 0; + return 1; + } if ((present = OPENSSL_malloc(sizeof(*present) * num)) == NULL) { SSLerr(SSL_F_SSL_CLIENT_HELLO_GET1_EXTENSIONS_PRESENT, ERR_R_MALLOC_FAILURE); -- 2.25.1