Fix Issue OSS-Fuzz: Branch on uninitialized memory (in ccm code).

This would also happen for aes-ccm. There was one branch path where it just returned 1
without setting *padlen, It now branches so that the value is set to 0.

Fixes #9691

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9692)

diff --git a/providers/common/ciphers/cipher_ccm.c b/providers/common/ciphers/cipher_ccm.c
index 980c815aa16c2629cf1f1047d8ac514981c3ee15..fcfef731976fe6526abe7b57c23eaf011505de6d 100644 (file)
--- a/providers/common/ciphers/cipher_ccm.c
+++ b/providers/common/ciphers/cipher_ccm.c
@@ -349,7 +349,7 @@ static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
 
     /* EVP_*Final() doesn't return any data */
     if (in == NULL && out != NULL)
 
     /* EVP_*Final() doesn't return any data */
     if (in == NULL && out != NULL)

-        return 1;
+        goto finish;

 
     if (!ctx->iv_set)
         goto err;
 
     if (!ctx->iv_set)
         goto err;


@@ -388,6 +388,7 @@ static int ccm_cipher_internal(PROV_CCM_CTX *ctx, unsigned char *out,
         }
     }
     olen = len;
         }
     }
     olen = len;

+finish:

     rv = 1;
 err:
     *padlen = olen;
     rv = 1;
 err:
     *padlen = olen;