Unchecked malloc fixes

Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error paths as I spotted them along the way. Reviewed-by: N Tim Hudson <tjh@openssl.org>

Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error paths as I spotted them along the way. Reviewed-by: N Tim Hudson <tjh@openssl.org>
918bb865 · Matt Caswell · 618be04e · 918bb865 · 918bb865 · 918bb865
21 changed file
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -576,6 +576,11 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
        char *prompt = NULL;

        prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
+        if(!prompt) {
+            BIO_printf(bio_err, "Out of memory\n");
+            UI_free(ui);
+            return 0;
+        }

        ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
        UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
@@ -585,6 +590,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
                                     PW_MIN_LENGTH, bufsiz - 1);
        if (ok >= 0 && verify) {
            buff = (char *)OPENSSL_malloc(bufsiz);
+            if(!buff) {
+                BIO_printf(bio_err, "Out of memory\n");
+                UI_free(ui);
+                OPENSSL_free(prompt);
+                return 0;
+            }
            ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
                                      PW_MIN_LENGTH, bufsiz - 1, buf);
        }

--- a/apps/ca.c
+++ b/apps/ca.c
@@ -563,10 +563,18 @@ int MAIN(int argc, char **argv)
 #ifdef OPENSSL_SYS_VMS
        len = strlen(s) + sizeof(CONFIG_FILE);
        tofree = OPENSSL_malloc(len);
+        if(!tofree) {
+            BIO_printf(bio_err, "Out of memory\n");
+            goto err;
+        }
        strcpy(tofree, s);
 #else
        len = strlen(s) + sizeof(CONFIG_FILE) + 1;
        tofree = OPENSSL_malloc(len);
+        if(!tofree) {
+            BIO_printf(bio_err, "Out of memory\n");
+            goto err;
+        }
        BUF_strlcpy(tofree, s, len);
        BUF_strlcat(tofree, "/", len);
 #endif

--- a/apps/cms.c
+++ b/apps/cms.c
@@ -465,6 +465,10 @@ int MAIN(int argc, char **argv)
            if (key_param == NULL || key_param->idx != keyidx) {
                cms_key_param *nparam;
                nparam = OPENSSL_malloc(sizeof(cms_key_param));
+                if(!nparam) {
+                    BIO_printf(bio_err, "Out of memory\n");
+                    goto argerr;
+                }
                nparam->idx = keyidx;
                nparam->param = sk_OPENSSL_STRING_new_null();
                nparam->next = NULL;

--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -460,6 +460,11 @@ int MAIN(int argc, char **argv)
            ERR_print_errors(bio_err);
            goto end;
        }
+        if (!sigbuf) {
+            BIO_printf(bio_err, "Out of memory\n");
+            ERR_print_errors(bio_err);
+            goto end;
+        }
        siglen = BIO_read(sigbio, sigbuf, siglen);
        BIO_free(sigbio);
        if (siglen <= 0) {

--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -268,6 +268,11 @@ int MAIN(int argc, char **argv)

    rsa_in = OPENSSL_malloc(keysize * 2);
    rsa_out = OPENSSL_malloc(keysize);
+    if (!rsa_in || !rsa_out) {
+        BIO_printf(bio_err, "Out of memory\n");
+        ERR_print_errors(bio_err);
+        goto end;
+    }

    /* Read the input data */
    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);

--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -460,8 +460,13 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared)
    if (ncurves <= 0)
        return 1;
    curves = OPENSSL_malloc(ncurves * sizeof(int));
+    if(!curves) {
+        BIO_puts(out, "Malloc error getting supported curves\n");
+        return 0;
+    }
    SSL_get1_curves(s, curves);

+
    BIO_puts(out, "Supported Elliptic Curves: ");
    for (i = 0; i < ncurves; i++) {
        if (i)

--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -550,6 +550,11 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
    PW_CB_DATA cb_tmp;
    int l;

+    if(!pass) {
+        BIO_printf(bio_err, "Malloc failure\n");
+        return NULL;
+    }
+
    cb_tmp.password = (char *)srp_arg->srppassin;
    cb_tmp.prompt_info = "SRP user";
    if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {

--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -649,6 +649,8 @@ static int ebcdic_new(BIO *bi)
    EBCDIC_OUTBUFF *wbuf;

    wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+    if (!wbuf)
+        return 0;
    wbuf->alloced = 1024;
    wbuf->buff[0] = '\0';

@@ -703,9 +705,11 @@ static int ebcdic_write(BIO *b, const char *in, int inl)
        num = num + num;        /* double the size */
        if (num < inl)
            num = inl;
-        OPENSSL_free(wbuf);
        wbuf =
            (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
+        if(!wbuf)
+            return 0;
+        OPENSSL_free(b->ptr);

        wbuf->alloced = num;
        wbuf->buff[0] = '\0';
@@ -3204,6 +3208,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
    unsigned char *p;

    sess = OPENSSL_malloc(sizeof(simple_ssl_session));
+    if(!sess) {
+        BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+        return 0;
+    }

    SSL_SESSION_get_id(session, &sess->idlen);
    sess->derlen = i2d_SSL_SESSION(session, NULL);
@@ -3211,6 +3219,16 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
    sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);

    sess->der = OPENSSL_malloc(sess->derlen);
+    if(!sess->id || !sess->der) {
+        BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+
+        if(sess->id)
+            OPENSSL_free(sess->id);
+        if(sess->der)
+            OPENSSL_free(sess->der);
+        OPENSSL_free(sess);
+        return 0;
+    }
    p = sess->der;
    i2d_SSL_SESSION(session, &p);


--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2764,6 +2764,11 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)

    inp = OPENSSL_malloc(mblengths[num - 1]);
    out = OPENSSL_malloc(mblengths[num - 1] + 1024);
+    if(!inp || !out) {
+        BIO_printf(bio_err,"Out of memory\n");
+        goto end;
+    }
+

    EVP_CIPHER_CTX_init(&ctx);
    EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv);
@@ -2848,6 +2853,9 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher)
        fprintf(stdout, "\n");
    }

-    OPENSSL_free(inp);
-    OPENSSL_free(out);
+end:
+    if(inp)
+        OPENSSL_free(inp);
+    if(out)
+        OPENSSL_free(out);
 }
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -437,10 +437,18 @@ int MAIN(int argc, char **argv)
 # ifdef OPENSSL_SYS_VMS
            len = strlen(s) + sizeof(CONFIG_FILE);
            tofree = OPENSSL_malloc(len);
+            if(!tofree) {
+                BIO_printf(bio_err, "Out of memory\n");
+                goto err;
+            }
            strcpy(tofree, s);
 # else
            len = strlen(s) + sizeof(CONFIG_FILE) + 1;
            tofree = OPENSSL_malloc(len);
+            if(!tofree) {
+                BIO_printf(bio_err, "Out of memory\n");
+                goto err;
+            }
            BUF_strlcpy(tofree, s, len);
            BUF_strlcat(tofree, "/", len);
 # endif

--- a/apps/x509.c
+++ b/apps/x509.c
@@ -819,6 +819,11 @@ int MAIN(int argc, char **argv)

                z = i2d_X509(x, NULL);
                m = OPENSSL_malloc(z);
+                if (!m) {
+                    BIO_printf(bio_err, "Out of memory\n");
+                    ERR_print_errors(bio_err);
+                    goto end;
+                }

                d = (unsigned char *)m;
                z = i2d_X509_NAME(X509_get_subject_name(x), &d);

--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -162,6 +162,9 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)

    derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
    p = OPENSSL_malloc(derlen);
+    if(!p)
+        return 0;
+
    ndef_aux->derbuf = p;
    *pbuf = p;
    derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
@@ -229,6 +232,9 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg)

    derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
    p = OPENSSL_malloc(derlen);
+    if(!p)
+        return 0;
+
    ndef_aux->derbuf = p;
    *pbuf = p;
    derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);

--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -713,6 +713,10 @@ doapr_outch(char **sbuffer,
                if (*maxlen == 0)
                    *maxlen = 1024;
                *buffer = OPENSSL_malloc(*maxlen);
+                if(!*buffer) {
+                    /* Panic! Can't really do anything sensible. Just return */
+                    return;
+                }
                if (*currlen > 0) {
                    assert(*sbuffer != NULL);
                    memcpy(*buffer, *sbuffer, *currlen);
@@ -721,6 +725,10 @@ doapr_outch(char **sbuffer,
            } else {
                *maxlen += 1024;
                *buffer = OPENSSL_realloc(*buffer, *maxlen);
+                if(!*buffer) {
+                    /* Panic! Can't really do anything sensible. Just return */
+                    return;
+                }
            }
        }
        /* What to do if *buffer is NULL? */

--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -998,6 +998,10 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
     */
    sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
    authchunks = OPENSSL_malloc(sockopt_len);
+    if(!authchunks) {
+        BIO_vfree(bio);
+        return (NULL);
+    }
    memset(authchunks, 0, sockopt_len);
    ret =
        getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks,
@@ -1333,6 +1337,10 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
            optlen =
                (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
            authchunks = OPENSSL_malloc(optlen);
+            if (!authchunks) {
+                BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_ERROR);
+                return -1;
+            }
            memset(authchunks, 0, optlen);
            ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS,
                            authchunks, &optlen);
@@ -1399,10 +1407,15 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
     * yet, we have to save it and send it as soon as the socket gets dry.
     */
    if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) {
+        char *tmp;
        data->saved_message.bio = b;
+        if(!(tmp = OPENSSL_malloc(inl))) {
+            BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_ERROR);
+            return -1;
+        }
        if (data->saved_message.data)
            OPENSSL_free(data->saved_message.data);
-        data->saved_message.data = OPENSSL_malloc(inl);
+        data->saved_message.data = tmp;
        memcpy(data->saved_message.data, in, inl);
        data->saved_message.length = inl;
        return inl;

--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -231,6 +231,8 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
        return 0;
    }
    tmp = OPENSSL_malloc(inlen);
+    if(!tmp)
+        return 0;
    /* setup IV by decrypting last two blocks */
    if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
                           in + inlen - 2 * blocklen, blocklen * 2)

--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -468,6 +468,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
        ret = 0;
        Zlen = DH_size(dh);
        Z = OPENSSL_malloc(Zlen);
+        if(!Z) {
+            goto err;
+        }
        if (DH_compute_key_padded(Z, dhpub, dh) <= 0)
            goto err;
        if (!DH_KDF_X9_42(key, *keylen, Z, Zlen, dctx->kdf_oid,

--- a/crypto/dso/dso_vms.c
+++ b/crypto/dso/dso_vms.c
@@ -527,7 +527,8 @@ static char *vms_name_converter(DSO *dso, const char *filename)
 {
    int len = strlen(filename);
    char *not_translated = OPENSSL_malloc(len + 1);
-    strcpy(not_translated, filename);
+    if(not_translated)
+        strcpy(not_translated, filename);
    return (not_translated);
 }


--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -311,15 +311,18 @@ void OBJ_NAME_do_all_sorted(int type,
    d.type = type;
    d.names =
        OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names);
-    d.n = 0;
-    OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
+    /* Really should return an error if !d.names...but its a void function! */
+    if(d.names) {
+        d.n = 0;
+        OBJ_NAME_do_all(type, do_all_sorted_fn, &d);

-    qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
+        qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);

-    for (n = 0; n < d.n; ++n)
-        fn(d.names[n], arg);
+        for (n = 0; n < d.n; ++n)
+            fn(d.names[n], arg);

-    OPENSSL_free((void *)d.names);
+        OPENSSL_free((void *)d.names);
+    }
 }

 static int free_type;

--- a/crypto/rand/rand_os2.c
+++ b/crypto/rand/rand_os2.c
@@ -149,6 +149,9 @@ int RAND_poll(void)
    if (DosQuerySysState) {
        char *buffer = OPENSSL_malloc(256 * 1024);

+        if(!buffer)
+            return 0;
+
        if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) {
            /*
             * First 4 bytes in buffer is a pointer to the thread count there

--- a/crypto/threads/th-lock.c
+++ b/crypto/threads/th-lock.c
@@ -117,6 +117,10 @@ void CRYPTO_thread_setup(void)
    int i;

    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
    for (i = 0; i < CRYPTO_num_locks(); i++) {
        lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
    }
@@ -168,6 +172,10 @@ void CRYPTO_thread_setup(void)
 # else
    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t));
 # endif
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
    lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
    for (i = 0; i < CRYPTO_num_locks(); i++) {
        lock_count[i] = 0;
@@ -239,6 +247,12 @@ void CRYPTO_thread_setup(void)
    int i;
    char filename[20];

+    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
+
    strcpy(filename, "/tmp/mttest.XXXXXX");
    mktemp(filename);

@@ -249,7 +263,6 @@ void CRYPTO_thread_setup(void)
    arena = usinit(filename);
    unlink(filename);

-    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
    for (i = 0; i < CRYPTO_num_locks(); i++) {
        lock_cs[i] = usnewsema(arena, 1);
    }
@@ -303,6 +316,14 @@ void CRYPTO_thread_setup(void)

    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
    lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+    if(!lock_cs || !lock_count) {
+        /* Nothing we can do about this...void function! */
+        if(lock_cs)
+            OPENSSL_free(lock_cs);
+        if(lock_count)
+            OPENSSL_free(lock_count);
+        return;
+    }
    for (i = 0; i < CRYPTO_num_locks(); i++) {
        lock_count[i] = 0;
        pthread_mutex_init(&(lock_cs[i]), NULL);

--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -727,6 +727,10 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                packlen *= 4;

            wb->buf = OPENSSL_malloc(packlen);
+            if(!wb->buf) {
+                SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE);
+                return -1;
+            }
            wb->len = packlen;
        } else if (tot == len) { /* done? */
            OPENSSL_free(wb->buf); /* free jumbo buffer */