diff options
| author | Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> | 2019-12-12 07:41:00 +1000 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2019-12-12 07:41:00 +1000 |
| commit | 0402c90ff9caac4c680e3cb6db7729e00d3fc20b (patch) | |
| tree | 568c135161a1222d9dc224fa13b343690bdcb57e | |
| parent | f5e77bb0fa25b2fd87c879eb5bfa3e7945731675 (diff) | |
| download | openssl-new-0402c90ff9caac4c680e3cb6db7729e00d3fc20b.tar.gz | |
rand_lib.c: fix null pointer dereferences after RAND_get_rand_method() failure
RAND_get_rand_method() can return a NULL method pointer in the case of a
malloc failure, so don't dereference it without a check.
Reported-by: Zu-Ming Jiang (detected by FIFUZZ)
Fixes #10480
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10483)
| -rw-r--r-- | crypto/err/openssl.txt | 2 | ||||
| -rw-r--r-- | crypto/rand/rand_lib.c | 38 | ||||
| -rw-r--r-- | include/openssl/randerr.h | 2 |
3 files changed, 25 insertions, 17 deletions
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 7a80a7e145..a39b65382d 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1150,6 +1150,8 @@ RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed RAND_F_RAND_POOL_GROW:127: RAND_F_RAND_POOL_NEW:116:rand_pool_new +RAND_F_RAND_PRIV_BYTES_EX:128: +RAND_F_RAND_PSEUDO_BYTES:129: RAND_F_RAND_WRITE_FILE:112:RAND_write_file RSA_F_CHECK_PADDING_MD:140:check_padding_md RSA_F_ENCODE_PKCS1:146:encode_pkcs1 diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index c6b4ad3ae4..0be9db1c5f 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -311,6 +311,9 @@ int RAND_poll(void) const RAND_METHOD *meth = RAND_get_rand_method(); + if (meth == NULL) + return 0; + if (meth == RAND_OpenSSL()) { /* fill random pool and seed the master DRBG */ RAND_DRBG *drbg = RAND_DRBG_get0_master(); @@ -831,7 +834,7 @@ void RAND_seed(const void *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->seed != NULL) + if (meth != NULL && meth->seed != NULL) meth->seed(buf, num); } @@ -839,7 +842,7 @@ void RAND_add(const void *buf, int num, double randomness) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->add != NULL) + if (meth != NULL && meth->add != NULL) meth->add(buf, num, randomness); } @@ -851,18 +854,20 @@ void RAND_add(const void *buf, int num, double randomness) int rand_priv_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) { RAND_DRBG *drbg; - int ret; const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != RAND_OpenSSL()) - return meth->bytes(buf, num); + if (meth != NULL && meth != RAND_OpenSSL()) { + if (meth->bytes != NULL) + return meth->bytes(buf, num); + RANDerr(RAND_F_RAND_PRIV_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); + return -1; + } drbg = OPENSSL_CTX_get0_private_drbg(ctx); - if (drbg == NULL) - return 0; + if (drbg != NULL) + return RAND_DRBG_bytes(drbg, buf, num); - ret = RAND_DRBG_bytes(drbg, buf, num); - return ret; + return 0; } int RAND_priv_bytes(unsigned char *buf, int num) @@ -873,10 +878,9 @@ int RAND_priv_bytes(unsigned char *buf, int num) int rand_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) { RAND_DRBG *drbg; - int ret; const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth != RAND_OpenSSL()) { + if (meth != NULL && meth != RAND_OpenSSL()) { if (meth->bytes != NULL) return meth->bytes(buf, num); RANDerr(RAND_F_RAND_BYTES_EX, RAND_R_FUNC_NOT_IMPLEMENTED); @@ -884,11 +888,10 @@ int rand_bytes_ex(OPENSSL_CTX *ctx, unsigned char *buf, int num) } drbg = OPENSSL_CTX_get0_public_drbg(ctx); - if (drbg == NULL) - return 0; + if (drbg != NULL) + return RAND_DRBG_bytes(drbg, buf, num); - ret = RAND_DRBG_bytes(drbg, buf, num); - return ret; + return 0; } int RAND_bytes(unsigned char *buf, int num) @@ -901,8 +904,9 @@ int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->pseudorand != NULL) + if (meth != NULL && meth->pseudorand != NULL) return meth->pseudorand(buf, num); + RANDerr(RAND_F_RAND_PSEUDO_BYTES, RAND_R_FUNC_NOT_IMPLEMENTED); return -1; } #endif @@ -911,7 +915,7 @@ int RAND_status(void) { const RAND_METHOD *meth = RAND_get_rand_method(); - if (meth->status != NULL) + if (meth != NULL && meth->status != NULL) return meth->status(); return 0; } diff --git a/include/openssl/randerr.h b/include/openssl/randerr.h index e633260712..68992d771d 100644 --- a/include/openssl/randerr.h +++ b/include/openssl/randerr.h @@ -57,6 +57,8 @@ int ERR_load_RAND_strings(void); # define RAND_F_RAND_POOL_BYTES_NEEDED 0 # define RAND_F_RAND_POOL_GROW 0 # define RAND_F_RAND_POOL_NEW 0 +# define RAND_F_RAND_PRIV_BYTES_EX 0 +# define RAND_F_RAND_PSEUDO_BYTES 0 # define RAND_F_RAND_WRITE_FILE 0 # endif |