From 56d88027f026afd97ddf4e501f98437ca9819bfb Mon Sep 17 00:00:00 2001 From: Gunnar Kudrjavets Date: Tue, 12 May 2015 15:44:45 -0700 Subject: [PATCH] Fix the heap corruption in libeay32!OBJ_add_object. Original 'sizeof(ADDED_OBJ)' was replaced with 'sizeof(*ao)'. However, they return different sizes. Therefore as the result heap gets corrupted and at some point later debug version of malloc() detects the corruption. On x86 we can observe that as follows: sizeof(*ao) == 4 sizeof(*ao[0]) == sizeof(ADDED_OBJ) == 8 Issue reproduces with either enabling CRT debug heap or Application Verifier's full-page heap. Basic debugging data from the moment the corruption is first detected: 0:000:x86> | . 0 id: 283c create name: openssl.exe 0:000:x86> kcn # 00 MSVCR120D!_heap_alloc_dbg_impl 01 MSVCR120D!_nh_malloc_dbg_impl 02 MSVCR120D!_nh_malloc_dbg 03 MSVCR120D!malloc 04 LIBEAY32!default_malloc_ex 05 LIBEAY32!CRYPTO_malloc 06 LIBEAY32!lh_insert 07 LIBEAY32!OBJ_add_object 08 LIBEAY32!OBJ_create 09 openssl!add_oid_section 0a openssl!req_main 0b openssl!do_cmd 0c openssl!main 0d openssl!__tmainCRTStartup 0e openssl!mainCRTStartup 0f KERNEL32!BaseThreadInitThunk 10 ntdll_77d60000!__RtlUserThreadStart 11 ntdll_77d60000!_RtlUserThreadStart Signed-off-by: Matt Caswell Reviewed-by: Richard Levitte --- crypto/objects/obj_dat.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 991a1b7058..3df7ff2457 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -255,16 +255,16 @@ int OBJ_add_object(const ASN1_OBJECT *obj) return (0); if ((o = OBJ_dup(obj)) == NULL) goto err; - if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao))) == NULL) + if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) goto err2; if ((o->length != 0) && (obj->data != NULL)) - if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao))) == NULL) + if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) goto err2; if (o->sn != NULL) - if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL) + if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) goto err2; if (o->ln != NULL) - if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao))) == NULL) + if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL) goto err2; for (i = ADDED_DATA; i <= ADDED_NID; i++) { -- 2.25.1