Skip to content

Unchecked BN_sub() return value in crypto/bn/bn_x931p.c: BN_X931_generate_Xpq #6983

New issue
New issue
Closed
Closed
Unchecked BN_sub() return value in crypto/bn/bn_x931p.c: BN_X931_generate_Xpq#6983
Labels
branch: 1.0.2Applies to OpenSSL_1_0_2-stable branch (EOL)branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: masterApplies to master branch
Milestone
Assessed
@Jason2031

Description

@Jason2031
Jason2031
opened on Aug 16, 2018

Function BN_sub() subtracts b from a and places the result in r (r=a-b). It returns 0 on error. Function BN_X931_generate_Xpq() defined in crypto/bn/bn_x931p.c calls BN_sub() but forgets the return value check. See the following code:

int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
{
    // omitted...
    for (i = 0; i < 1000; i++) {
        if (!BN_priv_rand(Xq, nbits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ANY))
            goto err;
        /* Check that |Xp - Xq| > 2^(nbits - 100) */
        BN_sub(t, Xp, Xq);  // missing return value check
        if (BN_num_bits(t) > (nbits - 100))
            break;
    }
    // omitted...
}

Jiecheng Wu, Zuxing Gu

Metadata

Metadata

Assignees

No one assigned

    Labels

    branch: 1.0.2Applies to OpenSSL_1_0_2-stable branch (EOL)branch: 1.1.1Applies to OpenSSL_1_1_1-stable branch (EOL)branch: masterApplies to master branch

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions