Prevent allocations of size 0 in sh_init.

which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2605) (cherry picked from commit 7f07149d25f8d7e00e9350ff2f064a4d25c1a13d)
author: Guido Vranken <guidovranken@gmail.com> 2017-02-13 01:36:43 +0100
committer: Rich Salz <rsalz@openssl.org> 2017-02-14 14:35:40 -0500
commit: be31d57686a551261cfd5deb95c9553402942a43 (patch)
tree: 360af1d3c7b649a7ba95028e4c07c730451d5a22
parent: dff827da751525b0e32ecb59a1d382b03f34a4de (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/mem_sec.c b/crypto/mem_sec.c
index 4ccff34e5e..0c79b43658 100644
--- a/crypto/mem_sec.c
+++ b/crypto/mem_sec.c
@@ -356,6 +356,10 @@ static int sh_init(size_t size, int minsize)
     sh.minsize = minsize;
     sh.bittable_size = (sh.arena_size / sh.minsize) * 2;
 
+    /* Prevent allocations of size 0 later on */
+    if (sh.bittable_size >> 3 == 0)
+        goto err;
+
     sh.freelist_size = -1;
     for (i = sh.bittable_size; i; i >>= 1)
         sh.freelist_size++;
author	Guido Vranken <guidovranken@gmail.com>	2017-02-13 01:36:43 +0100
committer	Rich Salz <rsalz@openssl.org>	2017-02-14 14:35:40 -0500
commit	be31d57686a551261cfd5deb95c9553402942a43 (patch)
tree	360af1d3c7b649a7ba95028e4c07c730451d5a22
parent	dff827da751525b0e32ecb59a1d382b03f34a4de (diff)