Commit bfdf7c889b for openssl.org
commit bfdf7c889b80ca61cb137828a01a2569a0ac56fc
Author: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Date: Thu Jan 8 03:01:27 2026 +0000
fuzz/provider.c: Add check for OPENSSL_malloc() to avoid potential NULL pointer dereference
Add check for the return value of OPENSSL_malloc() to avoid potential NULL pointer dereference.
Fixes: f3b988d ("Add provider fuzzer")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27868)
diff --git a/fuzz/provider.c b/fuzz/provider.c
index 45f639a71b..36e1c6623e 100644
--- a/fuzz/provider.c
+++ b/fuzz/provider.c
@@ -112,6 +112,10 @@ static int read_uint(const uint8_t **buf, size_t *len, uint64_t **res)
}
*res = OPENSSL_malloc(sizeof(uint64_t));
+ if (*res == NULL) {
+ r = 0;
+ goto end;
+ }
**res = (uint64_t)**buf;
*buf += sizeof(uint64_t);
@@ -130,6 +134,10 @@ static int read_int(const uint8_t **buf, size_t *len, int64_t **res)
}
*res = OPENSSL_malloc(sizeof(int64_t));
+ if (*res == NULL) {
+ r = 0;
+ goto end;
+ }
**res = (int64_t)**buf;
*buf += sizeof(int64_t);
@@ -148,6 +156,10 @@ static int read_double(const uint8_t **buf, size_t *len, double **res)
}
*res = OPENSSL_malloc(sizeof(double));
+ if (*res == NULL) {
+ r = 0;
+ goto end;
+ }
**res = (double)**buf;
*buf += sizeof(double);
@@ -270,6 +282,8 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
p_num++;
fuzzed_parameters = OPENSSL_calloc(p_num + 1, sizeof(OSSL_PARAM));
+ if (fuzzed_parameters == NULL)
+ return NULL;
p = fuzzed_parameters;
for (; param != NULL && param->key != NULL; param++) {
@@ -286,6 +300,10 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
if (!read_int(buf, len, &use_param)) {
use_param = OPENSSL_malloc(sizeof(uint64_t));
+ if (use_param == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ return NULL;
+ }
*use_param = 0;
}
@@ -293,18 +311,43 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
case OSSL_PARAM_INTEGER:
if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) {
p_value_int = OPENSSL_malloc(sizeof(ITERS));
+ if (p_value_int == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_int = ITERS;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) {
p_value_int = OPENSSL_malloc(sizeof(ITERS));
+ if (p_value_int == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_int = ITERS;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) {
p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE));
+ if (p_value_int == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_int = BLOCKSIZE;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) {
p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE));
+ if (p_value_int == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_int = BLOCKSIZE;
} else if (!*use_param || !read_int(buf, len, &p_value_int)) {
p_value_int = OPENSSL_malloc(sizeof(int64_t));
+ if (p_value_int == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_int = 0;
}
@@ -315,18 +358,43 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
case OSSL_PARAM_UNSIGNED_INTEGER:
if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UITERS));
+ if (p_value_uint == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_uint = UITERS;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UITERS));
+ if (p_value_uint == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_uint = UITERS;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE));
+ if (p_value_uint == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_uint = UBLOCKSIZE;
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE));
+ if (p_value_uint == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_uint = UBLOCKSIZE;
} else if (!*use_param || !read_uint(buf, len, &p_value_uint)) {
p_value_uint = OPENSSL_malloc(sizeof(uint64_t));
+ if (p_value_uint == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_uint = 0;
}
@@ -337,6 +405,11 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
case OSSL_PARAM_REAL:
if (!*use_param || !read_double(buf, len, &p_value_double)) {
p_value_double = OPENSSL_malloc(sizeof(double));
+ if (p_value_double == NULL) {
+ OPENSSL_free(fuzzed_parameters);
+ OPENSSL_free(use_param);
+ return NULL;
+ }
*p_value_double = 0;
}