Skip to content

Incorrect usage of BN_CONTEXT API #13812

New issue
New issue
Closed
Closed
Incorrect usage of BN_CONTEXT API#13812
Labels
resolved: fixedThis issue has been fixedtriaged: bugThe issue/pr is/fixes a bug
@agustingianni

Description

@agustingianni
agustingianni
opened on Jan 8, 2021

By modeling the issue fixed by commit 0e8b6c9 with codeql I was able to find some variants of the pattern .

Bug 1:

openssl/crypto/bn/bn_prime.c

Line 149 in 9311d0c

goto err;

If mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); fails to allocate memory it will execute a goto that will perform BN_CTX_end(ctx); on the context without a matching BN_CTX_start.

Bug 2:

openssl/crypto/bn/bn_sqrt.c

Line 31 in 605856d

goto end;

If ret = BN_new(); fails to allocate memory it will execute a goto that will perform BN_CTX_end(ctx); on the context without a matching BN_CTX_start.

This can happen twice in the function so both cases would need to be addressed.

Bug 3:

openssl/crypto/bn/bn_x931p.c

Line 177 in 4261939

goto err;

If BN_priv_rand_ex(Xp, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY, ctx)) fails it will execute a goto that will perform BN_CTX_end(ctx); on the context without a matching BN_CTX_start.

Bug 4:

openssl/crypto/ec/ec_mult.c

Line 850 in 9311d0c

goto err;

If generator = EC_GROUP_get0_generator(group); is null, it will execute a goto that will perform BN_CTX_end(ctx); on the context without a matching BN_CTX_start.

I've already fixed the issues and am creating the issue to refer to it in the PR.

Metadata

Metadata

Assignees

No one assigned

    Labels

    resolved: fixedThis issue has been fixedtriaged: bugThe issue/pr is/fixes a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions