[erlang-patches] [PATCH] crypto: fix a few memleaks/undefined pointer dereferences

Mon Dec 16 13:19:05 CET 2013

---
Hi,

now, those are the obviously broken cases - what I am wondering about is
whether it is correct that almost none of the OpenSSL calls in crypto are
being checked for memory allocation failures!? IIUC, OpenSSL is configured
to use enif_alloc(), which according to this ...

http://www.erlang.org/doc/man/erl_nif.html#enif_alloc

... will return NULL in case of an allocation failure. Now, is that there
just to confuse people because the function doesn't actually ever return in
case of an allocation failure, or is this really severely broken? Am I
missing something?

Regards, Florian

diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 42fb172..9e5c42a 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -1789,7 +1789,7 @@ static ERL_NIF_TERM rand_uniform_nif(ErlNifEnv* env, int argc, const ERL_NIF_TER
 
 static ERL_NIF_TERM mod_exp_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (Base,Exponent,Modulo,bin_hdr) */
-    BIGNUM *bn_base=NULL, *bn_exponent=NULL, *bn_modulo, *bn_result;
+    BIGNUM *bn_base=NULL, *bn_exponent=NULL, *bn_modulo=NULL, *bn_result;
     BN_CTX *bn_ctx;
     unsigned char* ptr;
     unsigned dlen;      
@@ -1804,6 +1804,7 @@ static ERL_NIF_TERM mod_exp_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM arg
 
 	if (bn_base) BN_free(bn_base);
 	if (bn_exponent) BN_free(bn_exponent);
+	if (bn_modulo) BN_free(bn_modulo);
 	return enif_make_badarg(env);
     }
     bn_result = BN_new();
@@ -2600,7 +2601,7 @@ static ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_T
 static ERL_NIF_TERM srp_value_B_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (Multiplier, Verifier, Generator, Exponent, Prime) */
     BIGNUM *bn_verifier = NULL;
-    BIGNUM *bn_exponent, *bn_generator, *bn_prime, *bn_multiplier, *bn_result;
+    BIGNUM *bn_exponent = NULL, *bn_generator = NULL, *bn_prime = NULL, *bn_multiplier = NULL, *bn_result;
     BN_CTX *bn_ctx;
     unsigned char* ptr;
     unsigned dlen;
@@ -2613,9 +2614,9 @@ static ERL_NIF_TERM srp_value_B_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
 	|| !get_bn_from_bin(env, argv[4], &bn_prime)) {
 	if (bn_multiplier) BN_free(bn_multiplier);
 	if (bn_verifier) BN_free(bn_verifier);
-	if (bn_verifier) BN_free(bn_generator);
-	if (bn_verifier) BN_free(bn_exponent);
-	if (bn_verifier) BN_free(bn_prime);
+	if (bn_generator) BN_free(bn_generator);
+	if (bn_exponent) BN_free(bn_exponent);
+	if (bn_prime) BN_free(bn_prime);
 	return enif_make_badarg(env);
     }
 
@@ -2739,7 +2740,7 @@ static ERL_NIF_TERM srp_host_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_
         <premaster secret> = (A * v^u) ^ b % N
 */
     BIGNUM *bn_b = NULL, *bn_verifier = NULL;
-    BIGNUM *bn_prime, *bn_A, *bn_u, *bn_base, *bn_result;
+    BIGNUM *bn_prime = NULL, *bn_A = NULL, *bn_u = NULL, *bn_base, *bn_result;
     BN_CTX *bn_ctx;
     unsigned char* ptr;
     unsigned dlen;

