Commit c263ea553c for openssl.org
commit c263ea553c1d19f12d0040ecd184e4bf4e054af3
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Wed Apr 22 15:33:23 2026 +0200
Fix fuzz test to handle memory failures
It also fixes related memory leaks and removes extensive asserts that
should not be present in fuzzy tests.
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Jul 15 16:01:42 2026
(Merged from https://github.com/openssl/openssl/pull/30944)
diff --git a/fuzz/acert.c b/fuzz/acert.c
index 14c2f657ee..3af3c3e87a 100644
--- a/fuzz/acert.c
+++ b/fuzz/acert.c
@@ -26,13 +26,16 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
const unsigned char *p = buf;
unsigned char *der = NULL;
+ X509_ACERT *acert;
- X509_ACERT *acert = d2i_X509_ACERT(NULL, &p, (long)len);
+ acert = d2i_X509_ACERT(NULL, &p, (long)len);
if (acert != NULL) {
BIO *bio = BIO_new(BIO_s_null());
- X509_ACERT_print(bio, acert);
- BIO_free(bio);
+ if (bio != NULL) {
+ X509_ACERT_print(bio, acert);
+ BIO_free(bio);
+ }
i2d_X509_ACERT(acert, &der);
OPENSSL_free(der);
diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index 934e1447e9..12ba8a13d4 100644
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -277,9 +277,6 @@ static ASN1_PCTX *pctx;
TYPE *type = D2I(NULL, &p, (long)len); \
\
if (type != NULL) { \
- BIO *bio = BIO_new(BIO_s_null()); \
- \
- BIO_free(bio); \
I2D(type, &der); \
OPENSSL_free(der); \
TYPE##_free(type); \
@@ -290,6 +287,8 @@ int FuzzerInitialize(int *argc, char ***argv)
{
FuzzerSetRand();
pctx = ASN1_PCTX_new();
+ if (pctx == NULL)
+ return 0;
ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT | ASN1_PCTX_FLAGS_SHOW_SEQUENCE | ASN1_PCTX_FLAGS_SHOW_SSOF | ASN1_PCTX_FLAGS_SHOW_TYPE | ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME);
ASN1_PCTX_set_str_flags(pctx, ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_SHOW_TYPE | ASN1_STRFLGS_DUMP_ALL);
diff --git a/fuzz/bignum.c b/fuzz/bignum.c
index b9dcb49ebe..eec776e7b3 100644
--- a/fuzz/bignum.c
+++ b/fuzz/bignum.c
@@ -28,7 +28,6 @@ int FuzzerInitialize(int *argc, char ***argv)
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
- int success = 0;
size_t l1 = 0, l2 = 0, l3 = 0;
int s1 = 0, s3 = 0;
BN_CTX *ctx;
@@ -45,6 +44,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
b5 = BN_new();
ctx = BN_CTX_new();
+ if (b1 == NULL || b2 == NULL || b3 == NULL || b4 == NULL || b5 == NULL
+ || ctx == NULL)
+ goto done;
+
/* Divide the input into three parts, using the values of the first two
* bytes to choose lengths, which generate b1, b2 and b3. Use three bits
* of the third byte to choose signs for the three numbers.
@@ -62,23 +65,25 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
s3 = buf[0] & 4;
++buf;
}
- OPENSSL_assert(BN_bin2bn(buf, (int)l1, b1) == b1);
+ if (BN_bin2bn(buf, (int)l1, b1) != b1)
+ goto done;
BN_set_negative(b1, s1);
- OPENSSL_assert(BN_bin2bn(buf + l1, (int)l2, b2) == b2);
- OPENSSL_assert(BN_bin2bn(buf + l1 + l2, (int)l3, b3) == b3);
+ if (BN_bin2bn(buf + l1, (int)l2, b2) != b2)
+ goto done;
+ if (BN_bin2bn(buf + l1 + l2, (int)l3, b3) != b3)
+ goto done;
BN_set_negative(b3, s3);
/* mod 0 is undefined */
- if (BN_is_zero(b3)) {
- success = 1;
+ if (BN_is_zero(b3))
goto done;
- }
- OPENSSL_assert(BN_mod_exp(b4, b1, b2, b3, ctx));
- OPENSSL_assert(BN_mod_exp_simple(b5, b1, b2, b3, ctx));
+ if (!BN_mod_exp(b4, b1, b2, b3, ctx))
+ goto done;
+ if (!BN_mod_exp_simple(b5, b1, b2, b3, ctx))
+ goto done;
- success = BN_cmp(b4, b5) == 0;
- if (!success) {
+ if (BN_cmp(b4, b5) != 0) {
BN_print_fp(stdout, b1);
putchar('\n');
BN_print_fp(stdout, b2);
@@ -92,7 +97,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
done:
- OPENSSL_assert(success);
BN_free(b1);
BN_free(b2);
BN_free(b3);
diff --git a/fuzz/bndiv.c b/fuzz/bndiv.c
index a52f7b598b..c3a2d2f305 100644
--- a/fuzz/bndiv.c
+++ b/fuzz/bndiv.c
@@ -37,6 +37,19 @@ int FuzzerInitialize(int *argc, char ***argv)
b5 = BN_new();
ctx = BN_CTX_new();
+ if (b1 == NULL || b2 == NULL || b3 == NULL || b4 == NULL || b5 == NULL
+ || ctx == NULL) {
+ BN_free(b1);
+ BN_free(b2);
+ BN_free(b3);
+ BN_free(b4);
+ BN_free(b5);
+ BN_CTX_free(ctx);
+ b1 = b2 = b3 = b4 = b5 = NULL;
+ ctx = NULL;
+ return 0;
+ }
+
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_clear_error();
@@ -69,18 +82,19 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
++buf;
l2 = len - l1;
}
- OPENSSL_assert(BN_bin2bn(buf, (int)l1, b1) == b1);
+ if (BN_bin2bn(buf, (int)l1, b1) != b1)
+ goto done;
BN_set_negative(b1, s1);
- OPENSSL_assert(BN_bin2bn(buf + l1, (int)l2, b2) == b2);
+ if (BN_bin2bn(buf + l1, (int)l2, b2) != b2)
+ goto done;
BN_set_negative(b2, s2);
/* divide by 0 is an error */
- if (BN_is_zero(b2)) {
- success = 1;
+ if (BN_is_zero(b2))
goto done;
- }
- OPENSSL_assert(BN_div(b3, b4, b1, b2, ctx));
+ if (!BN_div(b3, b4, b1, b2, ctx))
+ goto done;
if (BN_is_zero(b1))
success = BN_is_zero(b3) && BN_is_zero(b4);
else if (BN_is_negative(b1))
@@ -89,8 +103,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
else
success = (BN_is_negative(b3) == BN_is_negative(b2) || BN_is_zero(b3))
&& (!BN_is_negative(b4) || BN_is_zero(b4));
- OPENSSL_assert(BN_mul(b5, b3, b2, ctx));
- OPENSSL_assert(BN_add(b5, b5, b4));
+ if (!BN_mul(b5, b3, b2, ctx))
+ goto done;
+ if (!BN_add(b5, b5, b4))
+ goto done;
success = success && BN_cmp(b5, b1) == 0;
if (!success) {
@@ -114,7 +130,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
done:
- OPENSSL_assert(success);
ERR_clear_error();
return 0;
diff --git a/fuzz/client.c b/fuzz/client.c
index 86cec0cd43..64d30dd09e 100644
--- a/fuzz/client.c
+++ b/fuzz/client.c
@@ -76,8 +76,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
client = SSL_new(ctx);
if (client == NULL)
goto end;
- OPENSSL_assert(SSL_set_min_proto_version(client, 0) == 1);
- OPENSSL_assert(SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") == 1);
+ if (SSL_set_min_proto_version(client, 0) != 1)
+ goto end;
+ if (SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") != 1)
+ goto end;
SSL_set_tlsext_host_name(client, "localhost");
in = BIO_new(BIO_s_mem());
if (in == NULL)
@@ -89,7 +91,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
SSL_set_bio(client, in, out);
SSL_set_connect_state(client);
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if ((size_t)BIO_write(in, buf, (int)len) != len)
+ goto end;
if (SSL_do_handshake(client) == 1) {
/* Keep reading application data until error or EOF. */
uint8_t tmp[1024];
diff --git a/fuzz/cmp.c b/fuzz/cmp.c
index c86d390f8b..ae4dcc033d 100644
--- a/fuzz/cmp.c
+++ b/fuzz/cmp.c
@@ -176,8 +176,13 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;
in = BIO_new(BIO_s_mem());
+ if (in == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
if ((size_t)BIO_write(in, buf, (int)len) != len) {
BIO_free(in);
+ ERR_clear_error();
return 0;
}
diff --git a/fuzz/cms.c b/fuzz/cms.c
index 0cd8ea9551..d45bf1b63c 100644
--- a/fuzz/cms.c
+++ b/fuzz/cms.c
@@ -34,13 +34,23 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;
in = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if (in == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
+ if ((size_t)BIO_write(in, buf, (int)len) != len) {
+ BIO_free(in);
+ ERR_clear_error();
+ return 0;
+ }
cms = d2i_CMS_bio(in, NULL);
if (cms != NULL) {
BIO *out = BIO_new(BIO_s_null());
- i2d_CMS_bio(out, cms);
- BIO_free(out);
+ if (out != NULL) {
+ i2d_CMS_bio(out, cms);
+ BIO_free(out);
+ }
CMS_ContentInfo_free(cms);
}
diff --git a/fuzz/conf.c b/fuzz/conf.c
index 9c5353868b..116759a0a1 100644
--- a/fuzz/conf.c
+++ b/fuzz/conf.c
@@ -33,9 +33,15 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;
conf = NCONF_new(NULL);
+ if (conf == NULL)
+ return 0;
in = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if (in == NULL)
+ goto end;
+ if ((size_t)BIO_write(in, buf, (int)len) != len)
+ goto end;
NCONF_load_bio(conf, in, &eline);
+end:
NCONF_free(conf);
BIO_free(in);
ERR_clear_error();
diff --git a/fuzz/crl.c b/fuzz/crl.c
index c22f5d55e2..f704321ac5 100644
--- a/fuzz/crl.c
+++ b/fuzz/crl.c
@@ -29,8 +29,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_CRL *crl = d2i_X509_CRL(NULL, &p, (long)len);
if (crl != NULL) {
BIO *bio = BIO_new(BIO_s_null());
- X509_CRL_print(bio, crl);
- BIO_free(bio);
+
+ if (bio != NULL) {
+ X509_CRL_print(bio, crl);
+ BIO_free(bio);
+ }
i2d_X509_CRL(crl, &der);
OPENSSL_free(der);
diff --git a/fuzz/ct.c b/fuzz/ct.c
index e46574d8eb..74fbf66c04 100644
--- a/fuzz/ct.c
+++ b/fuzz/ct.c
@@ -32,8 +32,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
STACK_OF(SCT) *scts = d2i_SCT_LIST(NULL, pp, (long)len);
if (scts != NULL) {
BIO *bio = BIO_new(BIO_s_null());
- SCT_LIST_print(scts, bio, 4, "\n", NULL);
- BIO_free(bio);
+
+ if (bio != NULL) {
+ SCT_LIST_print(scts, bio, 4, "\n", NULL);
+ BIO_free(bio);
+ }
if (i2d_SCT_LIST(scts, &der)) {
/* Silence unused result warning */
diff --git a/fuzz/decoder.c b/fuzz/decoder.c
index 3a9a48ad21..227c24fd71 100644
--- a/fuzz/decoder.c
+++ b/fuzz/decoder.c
@@ -25,6 +25,8 @@ int FuzzerInitialize(int *argc, char ***argv)
NULL);
pctx = ASN1_PCTX_new();
+ if (pctx == NULL)
+ return 0;
ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT | ASN1_PCTX_FLAGS_SHOW_SEQUENCE | ASN1_PCTX_FLAGS_SHOW_SSOF | ASN1_PCTX_FLAGS_SHOW_TYPE | ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME);
ASN1_PCTX_set_str_flags(pctx, ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_SHOW_TYPE | ASN1_STRFLGS_DUMP_ALL);
@@ -41,9 +43,15 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
BIO *bio;
bio = BIO_new(BIO_s_null());
+ if (bio == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, NULL, NULL, NULL, 0, NULL,
NULL);
if (dctx == NULL) {
+ BIO_free(bio);
+ ERR_clear_error();
return 0;
}
if (OSSL_DECODER_from_data(dctx, &buf, &len)) {
@@ -54,27 +62,29 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
EVP_PKEY_print_params(bio, pkey, 1, pctx);
pkey2 = EVP_PKEY_dup(pkey);
- OPENSSL_assert(pkey2 != NULL);
- EVP_PKEY_eq(pkey, pkey2);
- EVP_PKEY_free(pkey2);
+ if (pkey2 != NULL) {
+ EVP_PKEY_eq(pkey, pkey2);
+ EVP_PKEY_free(pkey2);
+ }
ctx = EVP_PKEY_CTX_new(pkey, NULL);
- /*
- * Param check will take too long time on large DH parameters.
- * Skip it.
- */
- if ((!EVP_PKEY_is_a(pkey, "DH") && !EVP_PKEY_is_a(pkey, "DHX"))
- || EVP_PKEY_get_bits(pkey) <= 2048)
- EVP_PKEY_param_check(ctx);
+ if (ctx != NULL) {
+ /*
+ * Param check will take too long time on large DH parameters.
+ * Skip it.
+ */
+ if ((!EVP_PKEY_is_a(pkey, "DH") && !EVP_PKEY_is_a(pkey, "DHX"))
+ || EVP_PKEY_get_bits(pkey) <= 2048)
+ EVP_PKEY_param_check(ctx);
- EVP_PKEY_public_check(ctx);
- /* Private and pairwise checks are unbounded, skip for large keys. */
- if (EVP_PKEY_get_bits(pkey) <= 4096) {
- EVP_PKEY_private_check(ctx);
- EVP_PKEY_pairwise_check(ctx);
+ EVP_PKEY_public_check(ctx);
+ /* Private and pairwise checks are unbounded, skip for large keys. */
+ if (EVP_PKEY_get_bits(pkey) <= 4096) {
+ EVP_PKEY_private_check(ctx);
+ EVP_PKEY_pairwise_check(ctx);
+ }
+ EVP_PKEY_CTX_free(ctx);
}
- OPENSSL_assert(ctx != NULL);
- EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(pkey);
}
OSSL_DECODER_CTX_free(dctx);
diff --git a/fuzz/dtlsclient.c b/fuzz/dtlsclient.c
index f07bc6ed67..2dc5ed709c 100644
--- a/fuzz/dtlsclient.c
+++ b/fuzz/dtlsclient.c
@@ -76,8 +76,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
client = SSL_new(ctx);
if (client == NULL)
goto end;
- OPENSSL_assert(SSL_set_min_proto_version(client, 0) == 1);
- OPENSSL_assert(SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") == 1);
+ if (SSL_set_min_proto_version(client, 0) != 1)
+ goto end;
+ if (SSL_set_cipher_list(client, "ALL:eNULL:@SECLEVEL=0") != 1)
+ goto end;
SSL_set_tlsext_host_name(client, "localhost");
in = BIO_new(BIO_s_mem());
if (in == NULL)
@@ -89,7 +91,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
SSL_set_bio(client, in, out);
SSL_set_connect_state(client);
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if ((size_t)BIO_write(in, buf, (int)len) != len)
+ goto end;
if (SSL_do_handshake(client) == 1) {
/* Keep reading application data until error or EOF. */
uint8_t tmp[1024];
diff --git a/fuzz/dtlsserver.c b/fuzz/dtlsserver.c
index 15c6c8bb57..84ded9a4df 100644
--- a/fuzz/dtlsserver.c
+++ b/fuzz/dtlsserver.c
@@ -218,7 +218,6 @@ static const uint8_t RSACertificatePEM[] = {
0x2d, 0x0a
};
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/*
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1mQfTLWrNFfUs
@@ -464,10 +463,8 @@ static const uint8_t RSAPrivateKeyPEM[] = {
0x52, 0x49, 0x56, 0x41, 0x54, 0x45, 0x20, 0x4b,
0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a
};
-#endif
#ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/*
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJLyl7hJjpQL/RhP1x2zS79xdiPJQB683gWeqcqHPeZkoAoGCCqGSM49
@@ -496,7 +493,6 @@ static const char ECDSAPrivateKeyPEM[] = {
0x4e, 0x44, 0x20, 0x45, 0x43, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54,
0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a
};
-#endif
/*
-----BEGIN CERTIFICATE-----
@@ -559,7 +555,7 @@ static const char ECDSACertPEM[] = {
};
#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_DSA
/*
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQDdkFKzNABLOha7Eqj7004+p5fhtR6bxpujToMmSZTYi8igVVXP
@@ -779,121 +775,109 @@ time_t time(time_t *t) TIME_IMPL(t)
return 1;
}
+static int use_pem_privkey(SSL_CTX *ctx, const void *pem, size_t pem_len)
+{
+ BIO *bio_buf;
+ EVP_PKEY *pkey;
+ int rv = 0;
+
+ bio_buf = BIO_new(BIO_s_mem());
+ if (bio_buf == NULL)
+ return 0;
+ if ((size_t)BIO_write(bio_buf, pem, (int)pem_len) != pem_len) {
+ BIO_free(bio_buf);
+ return 0;
+ }
+ pkey = PEM_read_bio_PrivateKey(bio_buf, NULL, NULL, NULL);
+ BIO_free(bio_buf);
+ if (pkey == NULL)
+ return 0;
+ if (SSL_CTX_use_PrivateKey(ctx, pkey) == 1)
+ rv = 1;
+ EVP_PKEY_free(pkey);
+ return rv;
+}
+
+static int use_pem_cert(SSL_CTX *ctx, const void *pem, size_t pem_len)
+{
+ BIO *bio_buf;
+ X509 *cert;
+ int rv = 0;
+
+ bio_buf = BIO_new(BIO_s_mem());
+ if (bio_buf == NULL)
+ return 0;
+ if ((size_t)BIO_write(bio_buf, pem, (int)pem_len) != pem_len) {
+ BIO_free(bio_buf);
+ return 0;
+ }
+ cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
+ BIO_free(bio_buf);
+ if (cert == NULL)
+ return 0;
+ if (SSL_CTX_use_certificate(ctx, cert) == 1)
+ rv = 1;
+ X509_free(cert);
+ return rv;
+}
+
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
- SSL *server;
+ SSL *server = NULL;
BIO *in;
BIO *out;
- BIO *bio_buf;
SSL_CTX *ctx;
- int ret;
-#ifndef OPENSSL_NO_DEPRECATED_3_0
- RSA *privkey;
-#endif
-#if !defined(OPENSSL_NO_DEPRECATED_3_0)
- EVP_PKEY *pkey;
-#endif
- X509 *cert;
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-#ifndef OPENSSL_NO_EC
- EC_KEY *ecdsakey = NULL;
-#endif
-#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
- DSA *dsakey = NULL;
-#endif
if (len < 2 || len > INT_MAX)
return 0;
- /* This only fuzzes the initial flow from the client so far. */
ctx = SSL_CTX_new(DTLS_server_method());
+ if (ctx == NULL)
+ return 0;
- ret = SSL_CTX_set_min_proto_version(ctx, 0);
- OPENSSL_assert(ret == 1);
- ret = SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:@SECLEVEL=0");
- OPENSSL_assert(ret == 1);
+ if (SSL_CTX_set_min_proto_version(ctx, 0) != 1)
+ goto end;
+ if (SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:@SECLEVEL=0") != 1)
+ goto end;
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/* RSA */
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, RSAPrivateKeyPEM, sizeof(RSAPrivateKeyPEM)) == sizeof(RSAPrivateKeyPEM));
- privkey = PEM_read_bio_RSAPrivateKey(bio_buf, NULL, NULL, NULL);
- ERR_print_errors_fp(stderr);
- OPENSSL_assert(privkey != NULL);
- BIO_free(bio_buf);
- pkey = EVP_PKEY_new();
- EVP_PKEY_assign_RSA(pkey, privkey);
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
- EVP_PKEY_free(pkey);
-#endif
-
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, RSACertificatePEM, sizeof(RSACertificatePEM)) == sizeof(RSACertificatePEM));
- cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
- BIO_free(bio_buf);
- OPENSSL_assert(cert != NULL);
- ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
- X509_free(cert);
+ if (!use_pem_privkey(ctx, RSAPrivateKeyPEM, sizeof(RSAPrivateKeyPEM)))
+ goto end;
+ if (!use_pem_cert(ctx, RSACertificatePEM, sizeof(RSACertificatePEM)))
+ goto end;
#ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/* ECDSA */
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)) == sizeof(ECDSAPrivateKeyPEM));
- ecdsakey = PEM_read_bio_ECPrivateKey(bio_buf, NULL, NULL, NULL);
- ERR_print_errors_fp(stderr);
- OPENSSL_assert(ecdsakey != NULL);
- BIO_free(bio_buf);
- pkey = EVP_PKEY_new();
- EVP_PKEY_assign_EC_KEY(pkey, ecdsakey);
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
- EVP_PKEY_free(pkey);
-#endif
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSACertPEM, sizeof(ECDSACertPEM)) == sizeof(ECDSACertPEM));
- cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
- OPENSSL_assert(cert != NULL);
- BIO_free(bio_buf);
- ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
- X509_free(cert);
+ if (!use_pem_privkey(ctx, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)))
+ goto end;
+ if (!use_pem_cert(ctx, ECDSACertPEM, sizeof(ECDSACertPEM)))
+ goto end;
#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_DSA
/* DSA */
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, DSAPrivateKeyPEM, sizeof(DSAPrivateKeyPEM)) == sizeof(DSAPrivateKeyPEM));
- dsakey = PEM_read_bio_DSAPrivateKey(bio_buf, NULL, NULL, NULL);
- ERR_print_errors_fp(stderr);
- OPENSSL_assert(dsakey != NULL);
- BIO_free(bio_buf);
- pkey = EVP_PKEY_new();
- EVP_PKEY_assign_DSA(pkey, dsakey);
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
- EVP_PKEY_free(pkey);
-
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(bio_buf, DSACertPEM, sizeof(DSACertPEM)) == sizeof(DSACertPEM));
- cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
- OPENSSL_assert(cert != NULL);
- BIO_free(bio_buf);
- ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
- X509_free(cert);
+ if (!use_pem_privkey(ctx, DSAPrivateKeyPEM, sizeof(DSAPrivateKeyPEM)))
+ goto end;
+ if (!use_pem_cert(ctx, DSACertPEM, sizeof(DSACertPEM)))
+ goto end;
#endif
server = SSL_new(ctx);
+ if (server == NULL)
+ goto end;
in = BIO_new(BIO_s_mem());
+ if (in == NULL)
+ goto end;
out = BIO_new(BIO_s_mem());
+ if (out == NULL) {
+ BIO_free(in);
+ goto end;
+ }
SSL_set_bio(server, in, out);
SSL_set_accept_state(server);
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if ((size_t)BIO_write(in, buf, (int)len) != len)
+ goto end;
if (SSL_do_handshake(server) == 1) {
/* Keep reading application data until error or EOF. */
@@ -904,6 +888,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
}
}
+end:
SSL_free(server);
ERR_clear_error();
SSL_CTX_free(ctx);
diff --git a/fuzz/hashtable.c b/fuzz/hashtable.c
index 9e9519b865..9eb81c0a9e 100644
--- a/fuzz/hashtable.c
+++ b/fuzz/hashtable.c
@@ -162,22 +162,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
/* set the proper key value */
HT_SET_KEY_FIELD(&key, fuzzkey, keyval);
+ memcpy(&valptr->value, &buf[3], sizeof(uint64_t));
+
/* lock the table */
ossl_ht_write_lock(fuzzer_table);
- /*
- * If the value to insert is already allocated
- * then we expect a conflict in the insert
- * i.e. we predict a return code of 0 instead
- * of 1. On replacement, we expect it to succeed
- * always
- */
- if (valptr->flags & FZ_FLAG_ALLOCATED) {
- if (!IS_REPLACE(op_flags))
- rc_prediction = 0;
- }
-
- memcpy(&valptr->value, &buf[3], sizeof(uint64_t));
/*
* do the insert/replace
*/
@@ -188,30 +177,18 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
rc = ossl_ht_fz_FUZZER_VALUE_insert(fuzzer_table, TO_HT_KEY(&key),
valptr, NULL);
- if (rc == -1)
- /* failed to grow the hash table due to too many collisions */
- break;
-
- /*
- * mark the entry as being allocated
- */
- valptr->flags |= FZ_FLAG_ALLOCATED;
-
/*
* unlock the table
*/
ossl_ht_write_unlock(fuzzer_table);
/*
- * Now check to make sure we did the right thing
- */
- OPENSSL_assert(rc == rc_prediction);
-
- /*
- * successful insertion if there wasn't a conflict
+ * mark the entry as being allocated
*/
- if (rc_prediction == 1)
+ if (rc == 1) {
+ valptr->flags |= FZ_FLAG_ALLOCATED;
IS_REPLACE(op_flags) ? replacements++ : inserts++;
+ }
break;
case OP_DELETE:
@@ -226,15 +203,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
/* lock the table */
ossl_ht_write_lock(fuzzer_table);
- /*
- * If the value to delete is not already allocated
- * then we expect a miss in the delete
- * i.e. we predict a return code of 0 instead
- * of 1
- */
- if (!(valptr->flags & FZ_FLAG_ALLOCATED))
- rc_prediction = 0;
-
/*
* do the delete
*/
@@ -245,22 +213,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
*/
ossl_ht_write_unlock(fuzzer_table);
- /*
- * Now check to make sure we did the right thing
- */
- OPENSSL_assert(rc == rc_prediction);
-
- /*
- * once the unlock is done, the table rcu will have synced
- * meaning the free function has run, so we can confirm now
- * that the valptr is no longer allocated
- */
- OPENSSL_assert(!(valptr->flags & FZ_FLAG_ALLOCATED));
-
/*
* successful deletion if there wasn't a conflict
*/
- if (rc_prediction == 1)
+ if (rc == 1)
deletes++;
break;
@@ -301,24 +257,22 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
/*
* Now check to make sure we did the right thing
*/
- OPENSSL_assert(lval == valptr);
+ if (valptr == NULL)
+ OPENSSL_assert(lval == NULL);
+ else
+ OPENSSL_assert(lval == NULL || lval == valptr);
/*
* if we expect a positive lookup, make sure that
* we can use the _type and to_value functions
*/
- if (valptr != NULL) {
+ if (valptr != NULL && lval != NULL) {
OPENSSL_assert(ossl_ht_fz_FUZZER_VALUE_type(v) == 1);
v = ossl_ht_fz_FUZZER_VALUE_to_value(lval, &tv);
OPENSSL_assert(v->value == lval);
- }
-
- /*
- * successful lookup if we didn't expect a miss
- */
- if (valptr != NULL)
lookups++;
+ }
break;
@@ -336,17 +290,17 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
* lock the table
*/
ossl_ht_write_lock(fuzzer_table);
- ossl_ht_flush(fuzzer_table);
+ rc = ossl_ht_flush(fuzzer_table);
ossl_ht_write_unlock(fuzzer_table);
/*
* now check to make sure everything is free
*/
- for (i = 0; i < USHRT_MAX; i++)
- OPENSSL_assert((prediction_table[i].flags & FZ_FLAG_ALLOCATED) == 0);
-
- /* good flush */
- flushes++;
+ if (rc == 1) {
+ for (i = 0; i < USHRT_MAX; i++)
+ OPENSSL_assert((prediction_table[i].flags & FZ_FLAG_ALLOCATED) == 0);
+ flushes++;
+ }
break;
case OP_FOREACH:
@@ -372,11 +326,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
rc_prediction = 1;
htvlist = ossl_ht_filter(fuzzer_table, 1, filter_iterator, &keyval);
-
- OPENSSL_assert(htvlist->list_len == (size_t)rc_prediction);
-
- ossl_ht_value_list_free(htvlist);
- filters++;
+ if (htvlist != NULL) {
+ OPENSSL_assert(htvlist->list_len == (size_t)rc_prediction);
+ ossl_ht_value_list_free(htvlist);
+ filters++;
+ }
break;
default:
diff --git a/fuzz/ml-dsa.c b/fuzz/ml-dsa.c
index 094af9096a..e56a023e46 100644
--- a/fuzz/ml-dsa.c
+++ b/fuzz/ml-dsa.c
@@ -254,6 +254,10 @@ static int keygen_ml_dsa_real_key_helper(uint8_t **buf, size_t *len,
ret = 1;
err:
+ if (!ret) {
+ EVP_PKEY_free(*key);
+ *key = NULL;
+ }
EVP_PKEY_CTX_free(ctx);
return ret;
}
@@ -659,7 +663,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
/* And run our setup/doit/cleanup sequence */
if (ops[operation].setup != NULL)
ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
- if (ops[operation].doit != NULL)
+ if (ops[operation].doit != NULL && in1 != NULL)
ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
if (ops[operation].cleanup != NULL)
ops[operation].cleanup(in1, in2, out1, out2);
diff --git a/fuzz/ml-kem.c b/fuzz/ml-kem.c
index 6e3aed8b23..dfd4faf6dc 100644
--- a/fuzz/ml-kem.c
+++ b/fuzz/ml-kem.c
@@ -650,7 +650,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
*/
if (ops[operation].setup != NULL)
ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
- if (ops[operation].doit != NULL)
+ if (ops[operation].doit != NULL && in1 != NULL)
ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
if (ops[operation].cleanup != NULL)
ops[operation].cleanup(in1, in2, out1, out2);
diff --git a/fuzz/pem.c b/fuzz/pem.c
index a8a1d810f0..a2da9820a7 100644
--- a/fuzz/pem.c
+++ b/fuzz/pem.c
@@ -31,7 +31,15 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;
in = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(in, buf + 1, (int)(len - 1)) == len - 1);
+ if (in == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
+ if ((size_t)BIO_write(in, buf + 1, (int)(len - 1)) != len - 1) {
+ BIO_free(in);
+ ERR_clear_error();
+ return 0;
+ }
if (PEM_read_bio_ex(in, &name, &header, &data, &outlen, buf[0]) == 1) {
/* Try to read all the data we get to see if allocated properly. */
BIO_write(in, name, (int)strlen(name));
diff --git a/fuzz/pkcs12.c b/fuzz/pkcs12.c
index 3bc9b5f7d7..74e2b6dd8a 100644
--- a/fuzz/pkcs12.c
+++ b/fuzz/pkcs12.c
@@ -39,7 +39,15 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;
in = BIO_new(BIO_s_mem());
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if (in == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
+ if ((size_t)BIO_write(in, buf, (int)len) != len) {
+ BIO_free(in);
+ ERR_clear_error();
+ return 0;
+ }
p12 = d2i_PKCS12_bio(in, NULL);
if (p12 != NULL) {
PKCS12_verify_mac(p12, NULL, 0);
diff --git a/fuzz/provider.c b/fuzz/provider.c
index e3acf3e470..bc45489a2f 100644
--- a/fuzz/provider.c
+++ b/fuzz/provider.c
@@ -304,6 +304,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
if (!read_int(buf, len, &use_param)) {
use_param = OPENSSL_malloc(sizeof(uint64_t));
if (use_param == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
return NULL;
}
@@ -315,6 +316,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) {
p_value_int = OPENSSL_malloc(sizeof(ITERS));
if (p_value_int == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -323,6 +325,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) {
p_value_int = OPENSSL_malloc(sizeof(ITERS));
if (p_value_int == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -331,6 +334,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) {
p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE));
if (p_value_int == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -339,6 +343,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) {
p_value_int = OPENSSL_malloc(sizeof(BLOCKSIZE));
if (p_value_int == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -347,6 +352,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (!*use_param || !read_int(buf, len, &p_value_int)) {
p_value_int = OPENSSL_malloc(sizeof(int64_t));
if (p_value_int == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -362,6 +368,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
if (strcmp(param->key, OSSL_KDF_PARAM_ITER) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UITERS));
if (p_value_uint == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -370,6 +377,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_N) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UITERS));
if (p_value_uint == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -378,6 +386,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_R) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE));
if (p_value_uint == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -386,6 +395,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (strcmp(param->key, OSSL_KDF_PARAM_SCRYPT_P) == 0) {
p_value_uint = OPENSSL_malloc(sizeof(UBLOCKSIZE));
if (p_value_uint == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -394,6 +404,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
} else if (!*use_param || !read_uint(buf, len, &p_value_uint)) {
p_value_uint = OPENSSL_malloc(sizeof(uint64_t));
if (p_value_uint == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
@@ -409,6 +420,7 @@ static OSSL_PARAM *fuzz_params(OSSL_PARAM *param, const uint8_t **buf, size_t *l
if (!*use_param || !read_double(buf, len, &p_value_double)) {
p_value_double = OPENSSL_malloc(sizeof(double));
if (p_value_double == NULL) {
+ free_params(fuzzed_parameters);
OPENSSL_free(fuzzed_parameters);
OPENSSL_free(use_param);
return NULL;
diff --git a/fuzz/quic-client.c b/fuzz/quic-client.c
index 851ecc5cc9..e75390ad60 100644
--- a/fuzz/quic-client.c
+++ b/fuzz/quic-client.c
@@ -77,6 +77,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
if (client == NULL)
goto end;
+ allstreams[0] = stream = client;
+
fake_now = ossl_ms2time(1);
if (!ossl_quic_set_override_now_cb(client, fake_now_cb, NULL))
goto end;
@@ -90,7 +92,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
if (!BIO_ADDR_rawmake(peer_addr, AF_INET, &ina, sizeof(ina), htons(4433)))
goto end;
- SSL_set_tlsext_host_name(client, "localhost");
+ if (SSL_set_tlsext_host_name(client, "localhost") != 1)
+ goto end;
in = BIO_new(BIO_s_dgram_mem());
if (in == NULL)
goto end;
@@ -116,7 +119,6 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
0))
goto end;
- allstreams[0] = stream = client;
for (;;) {
size_t size;
uint64_t nxtpktms = 0;
diff --git a/fuzz/quic-srtm.c b/fuzz/quic-srtm.c
index a7897da710..6e152299e1 100644
--- a/fuzz/quic-srtm.c
+++ b/fuzz/quic-srtm.c
@@ -77,9 +77,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
sizeof(arg_token.token)))
continue; /* just stop */
- ossl_quic_srtm_add(srtm, (void *)(uintptr_t)arg_opaque,
- arg_seq_num, &arg_token);
- ossl_quic_srtm_check(srtm);
+ if (ossl_quic_srtm_add(srtm, (void *)(uintptr_t)arg_opaque,
+ arg_seq_num, &arg_token))
+ ossl_quic_srtm_check(srtm);
break;
case CMD_REMOVE:
@@ -87,17 +87,17 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
|| !PACKET_get_net_8(&pkt, &arg_seq_num))
continue; /* just stop */
- ossl_quic_srtm_remove(srtm, (void *)(uintptr_t)arg_opaque,
- arg_seq_num);
- ossl_quic_srtm_check(srtm);
+ if (ossl_quic_srtm_remove(srtm, (void *)(uintptr_t)arg_opaque,
+ arg_seq_num))
+ ossl_quic_srtm_check(srtm);
break;
case CMD_CULL:
if (!PACKET_get_net_8(&pkt, &arg_opaque))
continue; /* just stop */
- ossl_quic_srtm_cull(srtm, (void *)(uintptr_t)arg_opaque);
- ossl_quic_srtm_check(srtm);
+ if (ossl_quic_srtm_cull(srtm, (void *)(uintptr_t)arg_opaque))
+ ossl_quic_srtm_check(srtm);
break;
case CMD_LOOKUP:
@@ -106,9 +106,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
|| !PACKET_get_net_8(&pkt, &arg_idx))
continue; /* just stop */
- ossl_quic_srtm_lookup(srtm, &arg_token, (size_t)arg_idx,
- NULL, NULL);
- ossl_quic_srtm_check(srtm);
+ if (ossl_quic_srtm_lookup(srtm, &arg_token, (size_t)arg_idx,
+ NULL, NULL))
+ ossl_quic_srtm_check(srtm);
break;
default:
diff --git a/fuzz/server.c b/fuzz/server.c
index 1723cecda5..740ade8513 100644
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -25,6 +25,7 @@
#include <openssl/err.h>
#include "fuzzer.h"
+#ifndef OPENSSL_NO_DEPRECATED_3_0
static const uint8_t kCertificateDER[] = {
0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7,
0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x11, 0x00,
@@ -125,7 +126,6 @@ static const uint8_t kCertificateDER[] = {
0x76, 0x8a, 0xbb
};
-#ifndef OPENSSL_NO_DEPRECATED_3_0
static const uint8_t kRSAPrivateKeyDER[] = {
0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02,
0x82, 0x01, 0x01, 0x00, 0xce, 0x47, 0xcb, 0x11,
@@ -281,7 +281,6 @@ static const uint8_t kRSAPrivateKeyDER[] = {
#endif
#ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/*
* -----BEGIN EC PRIVATE KEY-----
* MHcCAQEEIJLyl7hJjpQL/RhP1x2zS79xdiPJQB683gWeqcqHPeZkoAoGCCqGSM49
@@ -310,7 +309,6 @@ static const char ECDSAPrivateKeyPEM[] = {
0x4e, 0x44, 0x20, 0x45, 0x43, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54,
0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a
};
-#endif
/*
* -----BEGIN CERTIFICATE-----
@@ -373,7 +371,7 @@ static const char ECDSACertPEM[] = {
};
#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_DSA
/*
* -----BEGIN DSA PRIVATE KEY-----
* MIIBuwIBAAKBgQDdkFKzNABLOha7Eqj7004+p5fhtR6bxpujToMmSZTYi8igVVXP
@@ -593,139 +591,155 @@ time_t time(time_t *t) TIME_IMPL(t)
return 1;
}
+#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DSA)
+static int use_pem_privkey(SSL_CTX *ctx, const void *pem, size_t pem_len)
+{
+ BIO *bio_buf;
+ EVP_PKEY *pkey;
+ int rv = 0;
+
+ bio_buf = BIO_new(BIO_s_mem());
+ if (bio_buf == NULL)
+ return 0;
+ if ((size_t)BIO_write(bio_buf, pem, (int)pem_len) != pem_len) {
+ BIO_free(bio_buf);
+ return 0;
+ }
+ pkey = PEM_read_bio_PrivateKey(bio_buf, NULL, NULL, NULL);
+ BIO_free(bio_buf);
+ if (pkey == NULL)
+ return 0;
+ if (SSL_CTX_use_PrivateKey(ctx, pkey) == 1)
+ rv = 1;
+ EVP_PKEY_free(pkey);
+ return rv;
+}
+
+static int use_pem_cert(SSL_CTX *ctx, const void *pem, size_t pem_len)
+{
+ BIO *bio_buf;
+ X509 *cert;
+ int rv = 0;
+
+ bio_buf = BIO_new(BIO_s_mem());
+ if (bio_buf == NULL)
+ return 0;
+ if ((size_t)BIO_write(bio_buf, pem, (int)pem_len) != pem_len) {
+ BIO_free(bio_buf);
+ return 0;
+ }
+ cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
+ BIO_free(bio_buf);
+ if (cert == NULL)
+ return 0;
+ if (SSL_CTX_use_certificate(ctx, cert) == 1)
+ rv = 1;
+ X509_free(cert);
+ return rv;
+}
+#endif
+
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
- SSL *server;
+ SSL *server = NULL;
BIO *in;
BIO *out;
-#if !defined(OPENSSL_NO_EC) \
- || (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0))
- BIO *bio_buf;
-#endif
SSL_CTX *ctx;
- int ret;
#ifndef OPENSSL_NO_DEPRECATED_3_0
- RSA *privkey;
-#endif
const uint8_t *bufp;
-#if !defined(OPENSSL_NO_DEPRECATED_3_0)
- EVP_PKEY *pkey;
-#endif
- X509 *cert;
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-#ifndef OPENSSL_NO_EC
- EC_KEY *ecdsakey = NULL;
-#endif
-#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
- DSA *dsakey = NULL;
+ RSA *privkey = NULL;
+ EVP_PKEY *pkey = NULL;
+ X509 *cert = NULL;
#endif
uint8_t opt;
+ int ret;
if (len < 2 || len > INT_MAX)
return 0;
- /* This only fuzzes the initial flow from the client so far. */
ctx = SSL_CTX_new(TLS_method());
- OPENSSL_assert(ctx != NULL);
- ret = SSL_CTX_set_min_proto_version(ctx, 0);
- OPENSSL_assert(ret == 1);
- ret = SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:@SECLEVEL=0");
- OPENSSL_assert(ret == 1);
+ if (ctx == NULL)
+ return 0;
+ if (SSL_CTX_set_min_proto_version(ctx, 0) != 1)
+ goto end;
+ if (SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:@SECLEVEL=0") != 1)
+ goto end;
#ifndef OPENSSL_NO_DEPRECATED_3_0
/* RSA */
bufp = kRSAPrivateKeyDER;
privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
- OPENSSL_assert(privkey != NULL);
+ if (privkey == NULL)
+ goto end;
pkey = EVP_PKEY_new();
- OPENSSL_assert(pkey != NULL);
- EVP_PKEY_assign_RSA(pkey, privkey);
+ if (pkey == NULL) {
+ RSA_free(privkey);
+ goto end;
+ }
+ if (!EVP_PKEY_assign_RSA(pkey, privkey)) {
+ /* assignment failed; pkey doesn't own privkey, clean both */
+ RSA_free(privkey);
+ EVP_PKEY_free(pkey);
+ goto end;
+ }
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
EVP_PKEY_free(pkey);
-#endif
+ if (ret != 1)
+ goto end;
bufp = kCertificateDER;
cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
- OPENSSL_assert(cert != NULL);
+ if (cert == NULL)
+ goto end;
ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
X509_free(cert);
+ if (ret != 1)
+ goto end;
+#endif
#ifndef OPENSSL_NO_EC
-#ifndef OPENSSL_NO_DEPRECATED_3_0
/* ECDSA */
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert(bio_buf != NULL);
- OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)) == sizeof(ECDSAPrivateKeyPEM));
- ecdsakey = PEM_read_bio_ECPrivateKey(bio_buf, NULL, NULL, NULL);
- ERR_print_errors_fp(stderr);
- OPENSSL_assert(ecdsakey != NULL);
- BIO_free(bio_buf);
- pkey = EVP_PKEY_new();
- OPENSSL_assert(pkey != NULL);
- EVP_PKEY_assign_EC_KEY(pkey, ecdsakey);
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
- EVP_PKEY_free(pkey);
-#endif
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert(bio_buf != NULL);
- OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSACertPEM, sizeof(ECDSACertPEM)) == sizeof(ECDSACertPEM));
- cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
- OPENSSL_assert(cert != NULL);
- BIO_free(bio_buf);
- ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
- X509_free(cert);
+ if (!use_pem_privkey(ctx, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)))
+ goto end;
+ if (!use_pem_cert(ctx, ECDSACertPEM, sizeof(ECDSACertPEM)))
+ goto end;
#endif
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_DSA
/* DSA */
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert(bio_buf != NULL);
- OPENSSL_assert((size_t)BIO_write(bio_buf, DSAPrivateKeyPEM, sizeof(DSAPrivateKeyPEM)) == sizeof(DSAPrivateKeyPEM));
- dsakey = PEM_read_bio_DSAPrivateKey(bio_buf, NULL, NULL, NULL);
- ERR_print_errors_fp(stderr);
- OPENSSL_assert(dsakey != NULL);
- BIO_free(bio_buf);
- pkey = EVP_PKEY_new();
- OPENSSL_assert(pkey != NULL);
- EVP_PKEY_assign_DSA(pkey, dsakey);
- ret = SSL_CTX_use_PrivateKey(ctx, pkey);
- OPENSSL_assert(ret == 1);
- EVP_PKEY_free(pkey);
-
- bio_buf = BIO_new(BIO_s_mem());
- OPENSSL_assert(bio_buf != NULL);
- OPENSSL_assert((size_t)BIO_write(bio_buf, DSACertPEM, sizeof(DSACertPEM)) == sizeof(DSACertPEM));
- cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
- OPENSSL_assert(cert != NULL);
- BIO_free(bio_buf);
- ret = SSL_CTX_use_certificate(ctx, cert);
- OPENSSL_assert(ret == 1);
- X509_free(cert);
+ if (!use_pem_privkey(ctx, DSAPrivateKeyPEM, sizeof(DSAPrivateKeyPEM)))
+ goto end;
+ if (!use_pem_cert(ctx, DSACertPEM, sizeof(DSACertPEM)))
+ goto end;
#endif
server = SSL_new(ctx);
+ if (server == NULL)
+ goto end;
in = BIO_new(BIO_s_mem());
- OPENSSL_assert(in != NULL);
+ if (in == NULL)
+ goto end;
out = BIO_new(BIO_s_mem());
- OPENSSL_assert(out != NULL);
+ if (out == NULL) {
+ BIO_free(in);
+ goto end;
+ }
SSL_set_bio(server, in, out);
SSL_set_accept_state(server);
opt = (uint8_t)buf[len - 1];
len--;
- OPENSSL_assert((size_t)BIO_write(in, buf, (int)len) == len);
+ if ((size_t)BIO_write(in, buf, (int)len) != len)
+ goto end;
if ((opt & 0x01) != 0) {
do {
char early_buf[16384];
size_t early_len;
- ret = SSL_read_early_data(server, early_buf, sizeof(early_buf), &early_len);
+
+ ret = SSL_read_early_data(server, early_buf, sizeof(early_buf),
+ &early_len);
if (ret != SSL_READ_EARLY_DATA_SUCCESS)
break;
@@ -741,6 +755,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
}
}
+end:
SSL_free(server);
ERR_clear_error();
SSL_CTX_free(ctx);
diff --git a/fuzz/slh-dsa.c b/fuzz/slh-dsa.c
index 17238bcf8b..0f78a01da8 100644
--- a/fuzz/slh-dsa.c
+++ b/fuzz/slh-dsa.c
@@ -63,26 +63,32 @@ static EVP_PKEY *slh_dsa_gen_key(const char *name, uint32_t keysize,
{
EVP_PKEY_CTX *ctx;
EVP_PKEY *new = NULL;
- int rc;
ctx = EVP_PKEY_CTX_new_from_name(NULL, name, NULL);
- OPENSSL_assert(ctx != NULL);
+ if (ctx == NULL)
+ return NULL;
if (params != NULL) {
new = EVP_PKEY_new();
- OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
- if (*param_broken) {
- rc = EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params);
- OPENSSL_assert(rc == 0);
+ if (new == NULL)
+ goto out;
+ if (!EVP_PKEY_fromdata_init(ctx)) {
+ EVP_PKEY_free(new);
+ new = NULL;
+ goto out;
+ }
+ if (EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) != 1) {
EVP_PKEY_free(new);
new = NULL;
- } else {
- OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
}
goto out;
}
- OPENSSL_assert(EVP_PKEY_keygen_init(ctx));
- OPENSSL_assert(EVP_PKEY_generate(ctx, &new));
+ if (!EVP_PKEY_keygen_init(ctx))
+ goto out;
+ if (!EVP_PKEY_generate(ctx, &new)) {
+ EVP_PKEY_free(new);
+ new = NULL;
+ }
out:
EVP_PKEY_CTX_free(ctx);
@@ -221,9 +227,10 @@ static void slh_dsa_gen_key_with_params(uint8_t **buf, size_t *len,
*buf = consume_uint8t(*buf, len, &selector);
keytype = select_keytype(selector, &keysize);
- RAND_bytes(pubbuf, PARAM_BUF_SZ);
- RAND_bytes(prvbuf, PARAM_BUF_SZ);
- RAND_bytes(sdbuf, PARAM_BUF_SZ);
+ if (!RAND_bytes(pubbuf, PARAM_BUF_SZ)
+ || !RAND_bytes(prvbuf, PARAM_BUF_SZ)
+ || !RAND_bytes(sdbuf, PARAM_BUF_SZ))
+ return;
/*
* select an invalid length if the buffer 0th bit is one
@@ -260,11 +267,6 @@ static void slh_dsa_gen_key_with_params(uint8_t **buf, size_t *len,
params[2] = OSSL_PARAM_construct_end();
*out1 = (void *)slh_dsa_gen_key(keytype, keysize, params, &broken);
-
- if (broken)
- OPENSSL_assert(*out1 == NULL);
- else
- OPENSSL_assert(*out1 != NULL);
return;
}
@@ -319,7 +321,6 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
OSSL_PARAM params[4];
int paramidx = 0;
int intval1, intval2;
- int expect_init_rc = 1;
*buf = consume_uint8t(*buf, len, &selector);
if (*buf == NULL)
@@ -340,10 +341,6 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
msg = (unsigned char *)*buf;
msg_len = *len;
- /* if msg_len > 255, sign_message_init will fail */
- if (msg_len > 255 && (selector & 0x1) != 0)
- expect_init_rc = 0;
-
*len = 0;
if (selector & 0x1)
@@ -365,33 +362,39 @@ static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
params[paramidx] = OSSL_PARAM_construct_end();
key = (void *)slh_dsa_gen_key(keytype, keylen, NULL, 0);
- OPENSSL_assert(key != NULL);
+ if (key == NULL)
+ return;
*out1 = key; /* for cleanup */
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
- OPENSSL_assert(ctx != NULL);
+ if (ctx == NULL)
+ goto out;
sig_alg = EVP_SIGNATURE_fetch(NULL, keytype, NULL);
- OPENSSL_assert(sig_alg != NULL);
+ if (sig_alg == NULL)
+ goto out;
- OPENSSL_assert(EVP_PKEY_sign_message_init(ctx, sig_alg, params) == expect_init_rc);
/*
* the context_string parameter can be no more than 255 bytes, so if
- * our random input buffer is greater than that, we expect failure above,
- * which we check for. In that event, there's nothing more we can do here
- * so bail out
+ * our random input buffer is greater than that, sign_message_init will
+ * fail, in which case there's nothing more we can do here so bail out
*/
- if (expect_init_rc == 0)
+ if (EVP_PKEY_sign_message_init(ctx, sig_alg, params) != 1)
goto out;
- OPENSSL_assert(EVP_PKEY_sign(ctx, NULL, &sig_len, msg, msg_len));
+ if (EVP_PKEY_sign(ctx, NULL, &sig_len, msg, msg_len) != 1)
+ goto out;
sig = OPENSSL_zalloc(sig_len);
- OPENSSL_assert(sig != NULL);
+ if (sig == NULL)
+ goto out;
- OPENSSL_assert(EVP_PKEY_sign(ctx, sig, &sig_len, msg, msg_len));
+ if (EVP_PKEY_sign(ctx, sig, &sig_len, msg, msg_len) != 1)
+ goto out;
- OPENSSL_assert(EVP_PKEY_verify_message_init(ctx, sig_alg, params));
- OPENSSL_assert(EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len));
+ if (EVP_PKEY_verify_message_init(ctx, sig_alg, params) != 1)
+ goto out;
+ if (EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len) != 1)
+ fprintf(stderr, "Failed to verify message\n");
out:
OPENSSL_free(sig);
@@ -417,32 +420,34 @@ out:
static void slh_dsa_export_import(uint8_t **buf, size_t *len, void *key1,
void *key2, void **out1, void **out2)
{
- int rc;
EVP_PKEY *alice = (EVP_PKEY *)key1;
EVP_PKEY *bob = (EVP_PKEY *)key2;
EVP_PKEY *new = NULL;
EVP_PKEY_CTX *ctx = NULL;
OSSL_PARAM *params = NULL;
- OPENSSL_assert(EVP_PKEY_todata(alice, EVP_PKEY_KEYPAIR, ¶ms) == 1);
+ if (alice == NULL || bob == NULL)
+ return;
+
+ if (!EVP_PKEY_todata(alice, EVP_PKEY_KEYPAIR, ¶ms))
+ goto alice_done;
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, alice, NULL);
- OPENSSL_assert(ctx != NULL);
+ if (ctx == NULL)
+ goto alice_done;
- OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
+ if (!EVP_PKEY_fromdata_init(ctx))
+ goto alice_done;
new = EVP_PKEY_new();
- OPENSSL_assert(new != NULL);
- OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
+ if (new == NULL)
+ goto alice_done;
+ if (EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) != 1)
+ goto alice_done;
- /*
- * EVP_PKEY returns:
- * 1 if the keys are equivalent
- * 0 if the keys are not equivalent
- * -1 if the key types are different
- * -2 if the operation is not supported
- */
- OPENSSL_assert(EVP_PKEY_eq(alice, new) == 1);
+ (void)EVP_PKEY_eq(alice, new);
+
+alice_done:
EVP_PKEY_free(new);
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
@@ -450,26 +455,26 @@ static void slh_dsa_export_import(uint8_t **buf, size_t *len, void *key1,
ctx = NULL;
new = NULL;
- OPENSSL_assert(EVP_PKEY_todata(bob, EVP_PKEY_KEYPAIR, ¶ms) == 1);
+ if (!EVP_PKEY_todata(bob, EVP_PKEY_KEYPAIR, ¶ms))
+ goto bob_done;
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, bob, NULL);
- OPENSSL_assert(ctx != NULL);
+ if (ctx == NULL)
+ goto bob_done;
- OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
+ if (!EVP_PKEY_fromdata_init(ctx))
+ goto bob_done;
new = EVP_PKEY_new();
- OPENSSL_assert(new != NULL);
- OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
+ if (new == NULL)
+ goto bob_done;
+ if (EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) != 1)
+ goto bob_done;
- OPENSSL_assert(EVP_PKEY_eq(bob, new) == 1);
-
- /*
- * Depending on the types of eys that get generated
- * we might get a simple non-equivalence or a type mismatch here
- */
- rc = EVP_PKEY_eq(alice, new);
- OPENSSL_assert(rc == 0 || rc == -1);
+ (void)EVP_PKEY_eq(bob, new);
+ (void)EVP_PKEY_eq(alice, new);
+bob_done:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(new);
OSSL_PARAM_free(params);
@@ -589,7 +594,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
*/
if (ops[operation].setup != NULL)
ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
- if (ops[operation].doit != NULL)
+ if (ops[operation].doit != NULL && in1 != NULL)
ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
if (ops[operation].cleanup != NULL)
ops[operation].cleanup(in1, in2, out1, out2);
diff --git a/fuzz/smime.c b/fuzz/smime.c
index b55a1ef74b..ab68cb0165 100644
--- a/fuzz/smime.c
+++ b/fuzz/smime.c
@@ -21,8 +21,18 @@ int FuzzerInitialize(int *argc, char ***argv)
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
- BIO *b = BIO_new_mem_buf(buf, (int)len);
- PKCS7 *p7 = SMIME_read_PKCS7(b, NULL);
+ BIO *b;
+ PKCS7 *p7;
+
+ if (len > INT_MAX)
+ return 0;
+
+ b = BIO_new_mem_buf(buf, (int)len);
+ if (b == NULL) {
+ ERR_clear_error();
+ return 0;
+ }
+ p7 = SMIME_read_PKCS7(b, NULL);
if (p7 != NULL) {
STACK_OF(PKCS7_SIGNER_INFO) *p7si = PKCS7_get_signer_info(p7);
diff --git a/fuzz/v3name.c b/fuzz/v3name.c
index 9a525e6f48..87fd8c1471 100644
--- a/fuzz/v3name.c
+++ b/fuzz/v3name.c
@@ -9,6 +9,7 @@
#include <string.h>
#include <openssl/e_os2.h>
+#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "internal/nelem.h"
@@ -23,8 +24,11 @@ int FuzzerTestOneInput(const uint8_t *data, size_t size)
{
GENERAL_NAME *namesa;
GENERAL_NAME *namesb;
-
const unsigned char *derp = data;
+
+ if (size > LONG_MAX)
+ return 0;
+
/*
* We create two versions of each GENERAL_NAME so that we ensure when
* we compare them they are always different pointers.
@@ -32,11 +36,11 @@ int FuzzerTestOneInput(const uint8_t *data, size_t size)
namesa = d2i_GENERAL_NAME(NULL, &derp, (long)size);
derp = data;
namesb = d2i_GENERAL_NAME(NULL, &derp, (long)size);
- GENERAL_NAME_cmp(namesa, namesb);
- if (namesa != NULL)
- GENERAL_NAME_free(namesa);
- if (namesb != NULL)
- GENERAL_NAME_free(namesb);
+ if (namesa != NULL && namesb != NULL)
+ GENERAL_NAME_cmp(namesa, namesb);
+ GENERAL_NAME_free(namesa);
+ GENERAL_NAME_free(namesb);
+ ERR_clear_error();
return 0;
}
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 68249b48db..a10e8c0067 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -99,7 +99,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
if (ctx == NULL)
goto err;
- X509_STORE_CTX_init(ctx, store, x509_1, NULL);
+ if (!X509_STORE_CTX_init(ctx, store, x509_1, NULL))
+ goto err;
if (crl != NULL) {
crls = sk_X509_CRL_new_null();