From 9f114219508d64a5b9522006eab1ed2db918dd25 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 4 Mar 2015 17:49:51 +0000
Subject: Unchecked malloc fixes

Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 918bb8652969fd53f0c390c1cd909265ed502c7e)

Conflicts:
	crypto/bio/bss_dgram.c

Conflicts:
	apps/cms.c
	apps/s_cb.c
	apps/s_server.c
	apps/speed.c
	crypto/dh/dh_pmeth.c
	ssl/s3_pkt.c
---
 crypto/asn1/bio_ndef.c   |  6 ++++++
 crypto/bio/b_print.c     |  8 ++++++++
 crypto/bio/bss_dgram.c   | 15 ++++++++++++++-
 crypto/cms/cms_pwri.c    |  2 ++
 crypto/dso/dso_vms.c     |  3 ++-
 crypto/objects/o_names.c | 15 +++++++++------
 crypto/rand/rand_os2.c   |  3 +++
 crypto/threads/th-lock.c | 23 ++++++++++++++++++++++-
 8 files changed, 66 insertions(+), 9 deletions(-)

(limited to 'crypto')

diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index 5817a2b8a7..4a73ca9eac 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -162,6 +162,9 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
     p = OPENSSL_malloc(derlen);
+    if(!p)
+        return 0;
+
     ndef_aux->derbuf = p;
     *pbuf = p;
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
@@ -229,6 +232,9 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
 
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
     p = OPENSSL_malloc(derlen);
+    if(!p)
+        return 0;
+
     ndef_aux->derbuf = p;
     *pbuf = p;
     derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c
index 5dc7630009..f7940f28be 100644
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -713,6 +713,10 @@ doapr_outch(char **sbuffer,
                 if (*maxlen == 0)
                     *maxlen = 1024;
                 *buffer = OPENSSL_malloc(*maxlen);
+                if(!*buffer) {
+                    /* Panic! Can't really do anything sensible. Just return */
+                    return;
+                }
                 if (*currlen > 0) {
                     assert(*sbuffer != NULL);
                     memcpy(*buffer, *sbuffer, *currlen);
@@ -721,6 +725,10 @@ doapr_outch(char **sbuffer,
             } else {
                 *maxlen += 1024;
                 *buffer = OPENSSL_realloc(*buffer, *maxlen);
+                if(!*buffer) {
+                    /* Panic! Can't really do anything sensible. Just return */
+                    return;
+                }
             }
         }
         /* What to do if *buffer is NULL? */
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index dd368025ed..b495db26e1 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -953,6 +953,10 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
      */
     sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
     authchunks = OPENSSL_malloc(sockopt_len);
+    if(!authchunks) {
+        BIO_vfree(bio);
+        return (NULL);
+    }
     memset(authchunks, 0, sizeof(sockopt_len));
     ret =
         getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks,
@@ -1288,6 +1292,10 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
             optlen =
                 (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t));
             authchunks = OPENSSL_malloc(optlen);
+            if (!authchunks) {
+                BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_ERROR);
+                return -1;
+            }
             memset(authchunks, 0, sizeof(optlen));
             ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS,
                             authchunks, &optlen);
@@ -1354,10 +1362,15 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl)
      * yet, we have to save it and send it as soon as the socket gets dry.
      */
     if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) {
+        char *tmp;
         data->saved_message.bio = b;
+        if(!(tmp = OPENSSL_malloc(inl))) {
+            BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_ERROR);
+            return -1;
+        }
         if (data->saved_message.data)
             OPENSSL_free(data->saved_message.data);
-        data->saved_message.data = OPENSSL_malloc(inl);
+        data->saved_message.data = tmp;
         memcpy(data->saved_message.data, in, inl);
         data->saved_message.length = inl;
         return inl;
diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index d93b14fa2c..076b545789 100644
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -231,6 +231,8 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
         return 0;
     }
     tmp = OPENSSL_malloc(inlen);
+    if(!tmp)
+        return 0;
     /* setup IV by decrypting last two blocks */
     EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
                       in + inlen - 2 * blocklen, blocklen * 2);
diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c
index 8793f7e0ff..0eff96ec22 100644
--- a/crypto/dso/dso_vms.c
+++ b/crypto/dso/dso_vms.c
@@ -539,7 +539,8 @@ static char *vms_name_converter(DSO *dso, const char *filename)
 {
     int len = strlen(filename);
     char *not_translated = OPENSSL_malloc(len + 1);
-    strcpy(not_translated, filename);
+    if(not_translated)
+        strcpy(not_translated, filename);
     return (not_translated);
 }
 
diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index e1e13a6131..c6774f4578 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -312,15 +312,18 @@ void OBJ_NAME_do_all_sorted(int type,
     d.type = type;
     d.names =
         OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names);
-    d.n = 0;
-    OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
+    /* Really should return an error if !d.names...but its a void function! */
+    if(d.names) {
+        d.n = 0;
+        OBJ_NAME_do_all(type, do_all_sorted_fn, &d);
 
-    qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
+        qsort((void *)d.names, d.n, sizeof *d.names, do_all_sorted_cmp);
 
-    for (n = 0; n < d.n; ++n)
-        fn(d.names[n], arg);
+        for (n = 0; n < d.n; ++n)
+            fn(d.names[n], arg);
 
-    OPENSSL_free((void *)d.names);
+        OPENSSL_free((void *)d.names);
+    }
 }
 
 static int free_type;
diff --git a/crypto/rand/rand_os2.c b/crypto/rand/rand_os2.c
index 9c4a137bb7..02148d5bf9 100644
--- a/crypto/rand/rand_os2.c
+++ b/crypto/rand/rand_os2.c
@@ -149,6 +149,9 @@ int RAND_poll(void)
     if (DosQuerySysState) {
         char *buffer = OPENSSL_malloc(256 * 1024);
 
+        if(!buffer)
+            return 0;
+
         if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) {
             /*
              * First 4 bytes in buffer is a pointer to the thread count there
diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c
index 1b5765948a..28884c2d44 100644
--- a/crypto/threads/th-lock.c
+++ b/crypto/threads/th-lock.c
@@ -117,6 +117,10 @@ void CRYPTO_thread_setup(void)
     int i;
 
     lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
     for (i = 0; i < CRYPTO_num_locks(); i++) {
         lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
     }
@@ -168,6 +172,10 @@ void CRYPTO_thread_setup(void)
 # else
     lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t));
 # endif
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
     lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
     for (i = 0; i < CRYPTO_num_locks(); i++) {
         lock_count[i] = 0;
@@ -251,6 +259,12 @@ void CRYPTO_thread_setup(void)
     int i;
     char filename[20];
 
+    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
+    if(!lock_cs) {
+        /* Nothing we can do about this...void function! */
+        return;
+    }
+
     strcpy(filename, "/tmp/mttest.XXXXXX");
     mktemp(filename);
 
@@ -261,7 +275,6 @@ void CRYPTO_thread_setup(void)
     arena = usinit(filename);
     unlink(filename);
 
-    lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *));
     for (i = 0; i < CRYPTO_num_locks(); i++) {
         lock_cs[i] = usnewsema(arena, 1);
     }
@@ -315,6 +328,14 @@ void CRYPTO_thread_setup(void)
 
     lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
     lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+    if(!lock_cs || !lock_count) {
+        /* Nothing we can do about this...void function! */
+        if(lock_cs)
+            OPENSSL_free(lock_cs);
+        if(lock_count)
+            OPENSSL_free(lock_count);
+        return;
+    }
     for (i = 0; i < CRYPTO_num_locks(); i++) {
         lock_count[i] = 0;
         pthread_mutex_init(&(lock_cs[i]), NULL);
-- 
cgit v1.2.3