From: Jiasheng Jiang Date: Thu, 8 Jan 2026 03:01:27 +0000 (+0000) Subject: fuzz/provider.c: Add check for OPENSSL_malloc() to avoid potential NULL pointer deref... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfdf7c889b80ca61cb137828a01a2569a0ac56fc;p=thirdparty%2Fopenssl.git fuzz/provider.c: Add check for OPENSSL_malloc() to avoid potential NULL pointer dereference Add check for the return value of OPENSSL_malloc() to avoid potential NULL pointer dereference. Fixes: f3b988d ("Add provider fuzzer") Signed-off-by: Jiasheng Jiang Reviewed-by: Paul Dale Reviewed-by: Frederik Wedel-Heinen Reviewed-by: Neil Horman (Merged from https://github.com/openssl/openssl/pull/27868) --- diff --git a/fuzz/provider.c b/fuzz/provider.c index 45f639a71b7..36e1c6623e4 100644 --- a/fuzz/provider.c +++ b/fuzz/provider.c @@ -112,6 +112,10 @@ static int read_uint(const uint8_t **buf, size_t *len, uint64_t **res) } *res = OPENSSL_malloc(sizeof(uint64_t)); + if (*res == NULL) { + r = 0; + goto end; + } **res = (uint64_t)**buf; *buf += sizeof(uint64_t); @@ -130,6 +134,10 @@ static int read_int(const uint8_t **buf, size_t *len, int64_t **res) } *res = OPENSSL_malloc(sizeof(int64_t)); + if (*res == NULL) { + r = 0; + goto end; + } **res = (int64_t)**buf; *buf += sizeof(int64_t); @@ -148,6 +156,10 @@ static int read_double(const uint8_t **buf, size_t *len, double **res) } *res = OPENSSL_malloc(sizeof(double)); + if (*res == NULL) { + r = 0; + goto end; + } **res = (double)**buf; *buf += sizeof(double); @@ -270,6 +282,8 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l p_num++; fuzzed_parameters = OPENSSL_calloc(p_num + 1, sizeof(OSSL_PARAM)); + if (fuzzed_parameters == NULL) + return NULL; p = fuzzed_parameters; for (; param != NULL && param->key != NULL; param++) { @@ -286,6 +300,10 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l if (!read_int(buf, len, &use_param)) { use_param = OPENSSL_malloc(sizeof(uint64_t)); + if (use_param == NULL) { + OPENSSL_free(fuzzed_parameters); + return NULL; + } *use_param = 0; } @@ -293,18 +311,43 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l case OSSL_PARAM_INTEGER: if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) { p_value_int = OPENSSL_malloc(sizeof(ITERS)); + if (p_value_int == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_int = ITERS; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) { p_value_int = OPENSSL_malloc(sizeof(ITERS)); + if (p_value_int == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_int = ITERS; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) { p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE)); + if (p_value_int == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_int = BLOCKSIZE; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) { p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE)); + if (p_value_int == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_int = BLOCKSIZE; } else if (!*use_param || !read_int(buf, len, &p_value_int)) { p_value_int = OPENSSL_malloc(sizeof(int64_t)); + if (p_value_int == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_int = 0; } @@ -315,18 +358,43 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l case OSSL_PARAM_UNSIGNED_INTEGER: if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) { p_value_uint = OPENSSL_malloc(sizeof(UITERS)); + if (p_value_uint == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_uint = UITERS; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) { p_value_uint = OPENSSL_malloc(sizeof(UITERS)); + if (p_value_uint == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_uint = UITERS; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) { p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE)); + if (p_value_uint == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_uint = UBLOCKSIZE; } else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) { p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE)); + if (p_value_uint == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_uint = UBLOCKSIZE; } else if (!*use_param || !read_uint(buf, len, &p_value_uint)) { p_value_uint = OPENSSL_malloc(sizeof(uint64_t)); + if (p_value_uint == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_uint = 0; } @@ -337,6 +405,11 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l case OSSL_PARAM_REAL: if (!*use_param || !read_double(buf, len, &p_value_double)) { p_value_double = OPENSSL_malloc(sizeof(double)); + if (p_value_double == NULL) { + OPENSSL_free(fuzzed_parameters); + OPENSSL_free(use_param); + return NULL; + } *p_value_double = 0; }