Overview

File nss-missing_alloc_check_DH_KEA_Derive.patch of Package mozilla-nss.972

# HG changeset patch
# Parent 6c0ce000e109da721e5f5ebac76068693e37d80f
# Parent  2145599fc8266622d280ae8ca3f75863e4ba1f3d
add checks to allocations of SECItems in DH/KEA_Derive

diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -254,30 +254,37 @@ DH_Derive(SECItem *publicValue,
     /* number of bytes in the derived secret */
     len = mp_unsigned_octet_size(&ZZ);
     if (len <= 0) {
         err = MP_BADARG;
         goto cleanup;
     }
     /* allocate a buffer which can hold the entire derived secret. */
     secret = PORT_Alloc(len);
+    if (!secret) {
+	err = MP_MEM;
+	goto cleanup;
+    }
     /* grab the derived secret */
     err = mp_to_unsigned_octets(&ZZ, secret, len);
     if (err >= 0) err = MP_OKAY;
     /* 
     ** if outBytes is 0 take all of the bytes from the derived secret.
     ** if outBytes is not 0 take exactly outBytes from the derived secret, zero
     ** pad at the beginning if necessary, and truncate beginning bytes 
     ** if necessary.
     */
     if (outBytes > 0)
 	nb = outBytes;
     else
 	nb = len;
-    SECITEM_AllocItem(NULL, derivedSecret, nb);
+    if (!SECITEM_AllocItem(NULL, derivedSecret, nb)) {
+	err = MP_MEM;
+	goto cleanup;
+    }
     if (len < nb) {
 	unsigned int offset = nb - len;
 	memset(derivedSecret->data, 0, offset);
 	memcpy(derivedSecret->data + offset, secret, len);
     } else {
 	memcpy(derivedSecret->data, secret + len - nb, nb);
     }
 cleanup:
@@ -342,21 +349,28 @@ KEA_Derive(SECItem *prime,
     CHECK_MPI_OK( mp_exptmod(&Y, &r, &p, &t) );
     /* u = DH(R, x, p) = R ** x mod p */
     CHECK_MPI_OK( mp_exptmod(&R, &x, &p, &u) );
     /* w = (t + u) mod p */
     CHECK_MPI_OK( mp_addmod(&t, &u, &p, &w) );
     /* allocate a buffer for the full derived secret */
     len = mp_unsigned_octet_size(&w);
     secret = PORT_Alloc(len);
+    if (!secret) {
+	err = MP_MEM;
+	goto cleanup;
+    }
     /* grab the secret */
     err = mp_to_unsigned_octets(&w, secret, len);
     if (err > 0) err = MP_OKAY;
     /* allocate output buffer */
-    SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN);
+    if (!SECITEM_AllocItem(NULL, derivedSecret, KEA_DERIVED_SECRET_LEN)) {
+	err = MP_MEM;
+	goto cleanup;
+    }
     memset(derivedSecret->data, 0, derivedSecret->len);
     /* copy in the 128 lsb of the secret */
     if (len >= KEA_DERIVED_SECRET_LEN) {
 	memcpy(derivedSecret->data, secret + (len - KEA_DERIVED_SECRET_LEN),
 	       KEA_DERIVED_SECRET_LEN);
     } else {
 	offset = KEA_DERIVED_SECRET_LEN - len;
 	memcpy(derivedSecret->data + offset, secret, len);
openSUSE Build Service is sponsored by
Places