From 7c0ef8431845ea741012a5a6ff7063dca801fadd Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 11 May 2016 21:14:57 +0100 Subject: [PATCH] Don't leak memory if realloc fails. RT#4403 Reviewed-by: Viktor Dukhovni --- apps/apps.c | 9 ++++----- apps/engine.c | 12 ++++++++---- crypto/modes/ocb128.c | 6 ++++-- ssl/ssl_rsa.c | 6 ++++-- ssl/t1_ext.c | 12 +++++++----- 5 files changed, 27 insertions(+), 18 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 537d43ab35..c7e01b0cc4 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -176,8 +176,6 @@ int chopup_args(ARGS *arg, char *buf) if (arg->size == 0) { arg->size = 20; arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space"); - if (arg->argv == NULL) - return 0; } for (p = buf;;) { @@ -189,11 +187,12 @@ int chopup_args(ARGS *arg, char *buf) /* The start of something good :-) */ if (arg->argc >= arg->size) { + char **tmp; arg->size += 20; - arg->argv = OPENSSL_realloc(arg->argv, - sizeof(*arg->argv) * arg->size); - if (arg->argv == NULL) + tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size); + if (tmp == NULL) return 0; + arg->argv = tmp; } quoted = *p == '\'' || *p == '"'; if (quoted) diff --git a/apps/engine.c b/apps/engine.c index b60bfbc294..3b395b1c7d 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -107,13 +107,17 @@ static int append_buf(char **buf, int *size, const char *s) } if (strlen(*buf) + strlen(s) >= (unsigned int)*size) { + char *tmp; *size += 256; - *buf = OPENSSL_realloc(*buf, *size); + tmp = OPENSSL_realloc(*buf, *size); + if (tmp == NULL) { + OPENSSL_free(*buf); + *buf = NULL; + return 0; + } + *buf = tmp; } - if (*buf == NULL) - return 0; - if (**buf != '\0') OPENSSL_strlcat(*buf, ", ", *size); OPENSSL_strlcat(*buf, s, *size); diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c index 3c17aa5287..cb99d094ab 100644 --- a/crypto/modes/ocb128.c +++ b/crypto/modes/ocb128.c @@ -147,6 +147,7 @@ static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx) /* We don't have it - so calculate it */ if (idx >= ctx->max_l_index) { + void *tmp_ptr; /* * Each additional entry allows to process almost double as * much data, so that in linear world the table will need to @@ -157,10 +158,11 @@ static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx) * the index. */ ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3; - ctx->l = + tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK)); - if (ctx->l == NULL) + if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */ return NULL; + ctx->l = tmp_ptr; } while (l_index < idx) { ocb_double(ctx->l + l_index, ctx->l + l_index + 1); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index f1280ad01f..88dce79ace 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -940,6 +940,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; + unsigned char *tmp; size_t serverinfo_length = 0; unsigned char *extension = 0; long extension_length = 0; @@ -999,12 +1000,13 @@ int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) goto end; } /* Append the decoded extension to the serverinfo buffer */ - serverinfo = + tmp = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length); - if (serverinfo == NULL) { + if (tmp == NULL) { SSLerr(SSL_F_SSL_CTX_USE_SERVERINFO_FILE, ERR_R_MALLOC_FAILURE); goto end; } + serverinfo = tmp; memcpy(serverinfo + serverinfo_length, extension, extension_length); serverinfo_length += extension_length; diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c index 3bbe1fd826..281613185e 100644 --- a/ssl/t1_ext.c +++ b/ssl/t1_ext.c @@ -205,7 +205,7 @@ static int custom_ext_meth_add(custom_ext_methods *exts, void *add_arg, custom_ext_parse_cb parse_cb, void *parse_arg) { - custom_ext_method *meth; + custom_ext_method *meth, *tmp; /* * Check application error: if add_cb is not set free_cb will never be * called. @@ -225,15 +225,17 @@ static int custom_ext_meth_add(custom_ext_methods *exts, /* Search for duplicate */ if (custom_ext_find(exts, ext_type)) return 0; - exts->meths = OPENSSL_realloc(exts->meths, - (exts->meths_count + - 1) * sizeof(custom_ext_method)); + tmp = OPENSSL_realloc(exts->meths, + (exts->meths_count + 1) * sizeof(custom_ext_method)); - if (!exts->meths) { + if (tmp == NULL) { + OPENSSL_free(exts->meths); + exts->meths = NULL; exts->meths_count = 0; return 0; } + exts->meths = tmp; meth = exts->meths + exts->meths_count; memset(meth, 0, sizeof(*meth)); meth->parse_cb = parse_cb; -- 2.25.1