From b48cf8cc3375610db39211d1da5904ff311d75d8 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 19 Feb 2015 06:10:29 +0000 Subject: If BN_rand() or BN_pseudo_rand() are called with a NULL rnd argument, BN_bin2bn() will helpfully allocate a BN which is then leaked. Avoid this by explicitly checking for NULL at the start of the bnrand() function. Fixes Coverity ID 78831. ok miod@ --- src/lib/libcrypto/bn/bn_rand.c | 11 ++++++++--- src/lib/libssl/src/crypto/bn/bn_rand.c | 11 ++++++++--- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c index 334c65dd57..ac5c5eb308 100644 --- a/src/lib/libcrypto/bn/bn_rand.c +++ b/src/lib/libcrypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.16 2014/10/22 13:02:04 jsing Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.17 2015/02/19 06:10:29 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,9 +123,14 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char *buf = NULL; int ret = 0, bit, bytes, mask; + if (rnd == NULL) { + BNerr(BN_F_BNRAND, ERR_R_PASSED_NULL_PARAMETER); + return (0); + } + if (bits == 0) { BN_zero(rnd); - return 1; + return (1); } bytes = (bits + 7) / 8; @@ -175,7 +180,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) buf[0] &= ~mask; if (bottom) /* set bottom bit if requested */ buf[bytes - 1] |= 1; - if (!BN_bin2bn(buf, bytes, rnd)) + if (BN_bin2bn(buf, bytes, rnd) == NULL) goto err; ret = 1; diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c index 334c65dd57..ac5c5eb308 100644 --- a/src/lib/libssl/src/crypto/bn/bn_rand.c +++ b/src/lib/libssl/src/crypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.16 2014/10/22 13:02:04 jsing Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.17 2015/02/19 06:10:29 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,9 +123,14 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char *buf = NULL; int ret = 0, bit, bytes, mask; + if (rnd == NULL) { + BNerr(BN_F_BNRAND, ERR_R_PASSED_NULL_PARAMETER); + return (0); + } + if (bits == 0) { BN_zero(rnd); - return 1; + return (1); } bytes = (bits + 7) / 8; @@ -175,7 +180,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) buf[0] &= ~mask; if (bottom) /* set bottom bit if requested */ buf[bytes - 1] |= 1; - if (!BN_bin2bn(buf, bytes, rnd)) + if (BN_bin2bn(buf, bytes, rnd) == NULL) goto err; ret = 1; -- cgit v1.2.3-55-g6feb