EVP_MD_CTX_create() calls malloc and can return NULL. However, only one of

the calls in libssl actually checks the return value before using it. Add
NULL checks for the remaining three calls.

ok miod@

5 files changed, 16 insertions, 2 deletions

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index ffbd83b060..602ab03fe1 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -2458,6 +2458,11 @@ ssl3_send_client_key_exchange(SSL *s)
                          * context data
                          */
                         ukm_hash = EVP_MD_CTX_create();
+                        if (ukm_hash == NULL) {
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                    ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
                         EVP_DigestInit(ukm_hash,
                             EVP_get_digestbynid(NID_id_GostR3411_94));
                         EVP_DigestUpdate(ukm_hash,
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index ffbd83b060..602ab03fe1 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -2458,6 +2458,11 @@ ssl3_send_client_key_exchange(SSL *s)
                          * context data
                          */
                         ukm_hash = EVP_MD_CTX_create();
+                        if (ukm_hash == NULL) {
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                    ERR_R_MALLOC_FAILURE);
+                                goto err;
+                        }
                         EVP_DigestInit(ukm_hash,
                             EVP_get_digestbynid(NID_id_GostR3411_94));
                         EVP_DigestUpdate(ukm_hash,
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index c9284c395f..aa729860fe 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -593,6 +593,10 @@ ssl3_digest_cached_records(SSL *s)
         for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
                 if ((mask & ssl_get_algorithm2(s)) && md) {
                         s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
+                        if (s->s3->handshake_dgst[i] == NULL) {
+                                SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS,
+                                    ERR_R_MALLOC_FAILURE);
+                        }
                         EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
                         EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
                 } else {
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index bf98354294..12d45ea025 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -3235,7 +3235,7 @@ ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
 {
         ssl_clear_hash_ctx(hash);
         *hash = EVP_MD_CTX_create();
-        if (md)
+        if (*hash != NULL && md != NULL)
                 EVP_DigestInit_ex(*hash, md, NULL);
         return (*hash);
 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index bf98354294..12d45ea025 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -3235,7 +3235,7 @@ ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md)
 {
         ssl_clear_hash_ctx(hash);
         *hash = EVP_MD_CTX_create();
-        if (md)
+        if (*hash != NULL && md != NULL)
                 EVP_DigestInit_ex(*hash, md, NULL);
         return (*hash);
 }