add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(),

EVP_PKEY_CTX_new_from_pkey() and EVP_CIPHER_CTX_new().
Otherwise may result in memory errors.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16892)

diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
index bc2b5179b748b6c645bcda4ad0332ecbe9f2899e..380240561f86838df76a5207a49783fa81d5c9e4 100644 (file)
--- a/crypto/cms/cms_pwri.c
+++ b/crypto/cms/cms_pwri.c
@@ -85,6 +85,10 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
         goto merr;
     }
     ctx = EVP_CIPHER_CTX_new();
+    if (ctx == NULL) {
+        ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
 
     if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) {
         ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB);

diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c
index 6e87bd16571902d9a2f54f537ef0cdbc8b7498e7..21b0cbd5fbefac89f75303b395761afeba30dcb0 100644 (file)
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -65,7 +65,8 @@ DSA_SIG *d2i_DSA_SIG(DSA_SIG **psig, const unsigned char **ppin, long len)
         sig->r = BN_new();
     if (sig->s == NULL)
         sig->s = BN_new();
-    if (ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) {
+    if (sig->r == NULL || sig->s == NULL
+        || ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) {
         if (psig == NULL || *psig == NULL)
             DSA_SIG_free(sig);
         return NULL;

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 31519137c6a7a34262f14118777c5f4029bd16a9..6323131a22b70fe5b8635b04c62b8be26f5a15a7 100644 (file)
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1223,7 +1223,8 @@ ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **psig, const unsigned char **ppin, long len)
         sig->r = BN_new();
     if (sig->s == NULL)
         sig->s = BN_new();
-    if (ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) {
+    if (sig->r == NULL || sig->s == NULL
+        || ossl_decode_der_dsa_sig(sig->r, sig->s, ppin, (size_t)len) == 0) {
         if (psig == NULL || *psig == NULL)
             ECDSA_SIG_free(sig);
         return NULL;

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 38e22f3b6ce2979e19485779735760d5bad7db96..2552dd702a005229614258c59b25c2b6156c1623 100644 (file)
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -1850,6 +1850,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx,
     if (tmp_keymgmt == NULL) {
         EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pk, propquery);
 
+        if (ctx == NULL)
+            goto end;
         tmp_keymgmt = ctx->keymgmt;
         ctx->keymgmt = NULL;
         EVP_PKEY_CTX_free(ctx);

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 6f5207abd1bfbe72991ee30c3d4586ab267b983d..83166b5887774355db53b53f041d13136210becd 100644 (file)
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -839,6 +839,11 @@ static void *do_PVK_body_key(const unsigned char **in,
 #endif
     EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
 
+    if (cctx == NULL) {
+        ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
     if (saltlen) {
 #ifndef OPENSSL_NO_RC4
         unsigned int magic;

diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c
index 85ad54e4cfdbc85cad5d0e0fa3a4122ad5d9d954..46283265d2746cddd6373e8ba6ca86a4f8f5d07d 100644 (file)
--- a/crypto/rsa/rsa_backend.c
+++ b/crypto/rsa/rsa_backend.c
@@ -392,6 +392,8 @@ RSA *ossl_rsa_dup(const RSA *rsa, int selection)
     if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0
         && (pnum = sk_RSA_PRIME_INFO_num(rsa->prime_infos)) > 0) {
         dupkey->prime_infos = sk_RSA_PRIME_INFO_new_reserve(NULL, pnum);
+        if (dupkey->prime_infos == NULL)
+            goto err;
         for (i = 0; i < pnum; i++) {
             const RSA_PRIME_INFO *pinfo = NULL;
             RSA_PRIME_INFO *duppinfo = NULL;