diff options
| author | jsing <> | 2014-06-10 11:40:22 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-10 11:40:22 +0000 |
| commit | 8d9007607f4ff6509cc1aa974ff5abee8197e4cb (patch) | |
| tree | 530cd52603b6af5c3e22b15811390dd5b480011f /src | |
| parent | 120092c80815c9fc85a2cdb032c540607898cfc5 (diff) | |
| download | openbsd-8d9007607f4ff6509cc1aa974ff5abee8197e4cb.tar.gz openbsd-8d9007607f4ff6509cc1aa974ff5abee8197e4cb.tar.bz2 openbsd-8d9007607f4ff6509cc1aa974ff5abee8197e4cb.zip | |
Avoid potential NULL pointer function calls in n_ssl3_mac() by checking
the return value of EVP_MD_CTX_copy_ex(). If the copy fails early then
EVP_DigestUpdate() will invoke md_ctx.update(), which will be a NULL
function pointer.
Analysis and patch from David Ramos.
ok deraadt@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_enc.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c index f4ac5222f3..13ba633f49 100644 --- a/src/lib/libssl/src/ssl/s3_enc.c +++ b/src/lib/libssl/src/ssl/s3_enc.c | |||
| @@ -762,7 +762,8 @@ n_ssl3_mac(SSL *ssl, unsigned char *md, int send) | |||
| 762 | /* Chop the digest off the end :-) */ | 762 | /* Chop the digest off the end :-) */ |
| 763 | EVP_MD_CTX_init(&md_ctx); | 763 | EVP_MD_CTX_init(&md_ctx); |
| 764 | 764 | ||
| 765 | EVP_MD_CTX_copy_ex(&md_ctx, hash); | 765 | if (!EVP_MD_CTX_copy_ex(&md_ctx, hash)) |
| 766 | return (-1); | ||
| 766 | EVP_DigestUpdate(&md_ctx, mac_sec, md_size); | 767 | EVP_DigestUpdate(&md_ctx, mac_sec, md_size); |
| 767 | EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad); | 768 | EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad); |
| 768 | EVP_DigestUpdate(&md_ctx, seq, 8); | 769 | EVP_DigestUpdate(&md_ctx, seq, 8); |
| @@ -774,7 +775,8 @@ n_ssl3_mac(SSL *ssl, unsigned char *md, int send) | |||
| 774 | EVP_DigestUpdate(&md_ctx, rec->input, rec->length); | 775 | EVP_DigestUpdate(&md_ctx, rec->input, rec->length); |
| 775 | EVP_DigestFinal_ex(&md_ctx, md, NULL); | 776 | EVP_DigestFinal_ex(&md_ctx, md, NULL); |
| 776 | 777 | ||
| 777 | EVP_MD_CTX_copy_ex(&md_ctx, hash); | 778 | if (!EVP_MD_CTX_copy_ex(&md_ctx, hash)) |
| 779 | return (-1); | ||
| 778 | EVP_DigestUpdate(&md_ctx, mac_sec, md_size); | 780 | EVP_DigestUpdate(&md_ctx, mac_sec, md_size); |
| 779 | EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad); | 781 | EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad); |
| 780 | EVP_DigestUpdate(&md_ctx, md, md_size); | 782 | EVP_DigestUpdate(&md_ctx, md, md_size); |