File nss-missing_alloc_check_DH_KEA_Derive.patch of Package mozilla-nss.972
# HG changeset patch
# Parent 6c0ce000e109da721e5f5ebac76068693e37d80f
# Parent 2145599fc8266622d280ae8ca3f75863e4ba1f3d
add checks to allocations of SECItems in DH/KEA_Derive
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -254,30 +254,37 @@ DH_Derive(SECItem *publicValue,
/* number of bytes in the derived secret */
len = mp_unsigned_octet_size(&ZZ);
if (len <= 0) {
err = MP_BADARG;
goto cleanup;
}
/* allocate a buffer which can hold the entire derived secret. */
secret = PORT_Alloc(len);
+ if (!secret) {
+ err = MP_MEM;
+ goto cleanup;
+ }
/* grab the derived secret */
err = mp_to_unsigned_octets(&ZZ, secret, len);
if (err >= 0) err = MP_OKAY;
/*
** if outBytes is 0 take all of the bytes from the derived secret.
** if outBytes is not 0 take exactly outBytes from the derived secret, zero
** pad at the beginning if necessary, and truncate beginning bytes
** if necessary.
*/
if (outBytes > 0)
nb = outBytes;
else
nb = len;
- SECITEM_AllocItem(NULL, derivedSecret, nb);
+ if (!SECITEM_AllocItem(NULL, derivedSecret, nb)) {
+ err = MP_MEM;
+ goto cleanup;
+ }
if (len < nb) {
unsigned int offset = nb - len;
memset(derivedSecret->data, 0, offset);
memcpy(derivedSecret->data + offset, secret, len);
} else {
memcpy(derivedSecret->data, secret + len - nb, nb);
}
cleanup:
@@ -342,21 +349,28 @@ KEA_Derive(SECItem *prime,
CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
/* u = DH(R, x, p) = R ** x mod p */
CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
/* w = (t + u) mod p */
CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
/* allocate a buffer for the full derived secret */
len = mp_unsigned_octet_size(&w);
secret = PORT_Alloc(len);
+ if (!secret) {
+ err = MP_MEM;
+ goto cleanup;
+ }
/* grab the secret */
err = mp_to_unsigned_octets(&w, secret, len);
if (err > 0) err = MP_OKAY;
/* allocate output buffer */
- SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN);
+ if (!SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN)) {
+ err = MP_MEM;
+ goto cleanup;
+ }
memset(derivedSecret->data, 0, derivedSecret->len);
/* copy in the 128 lsb of the secret */
if (len >= KEA_DERIVED_SECRET_LEN) {
memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
KEA_DERIVED_SECRET_LEN);
} else {
offset = KEA_DERIVED_SECRET_LEN - len;
memcpy(derivedSecret->data + offset, secret, len);