Menu
▾
▴
#949 potential free on unitialized pointers in error case in generate_key
There is a potential use of free on unitialized variables in privoxy-4.2.0-stable/openssl.c for openssl versions older than 3.0.
in the function generate_key(struct client_state csp, char *key_buf),
Under OpenSSL versions older than 3.0.0 (i.e., when OPENSSL_VERSION_NUMBER < 0x30000000L), the function declares exp, rsa, and ec_key on the stack without initializing them to NULL:
#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
BIGNUM *exp;
RSA *rsa;
EC_KEY *ec_key;
#endif
If key = EVP_PKEY_new(); fails, the code jumps directly to the cleanup section:
key = EVP_PKEY_new();
if (key == NULL)
{
log_ssl_errors(LOG_LEVEL_ERROR, "RSA/EC key memory allocation failure.");
ret = -1;
goto exit;
}
At the exit label, the uninitialized stack variables are checked and passed to freeing functions:
exit:
/*
* Freeing used variables
*/
#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
if (csp->config->elliptic_curve_keys)
{
if (ec_key)
{
EC_KEY_free(ec_key);
}
}
else
{
if (exp)
{
BN_free(exp);
}
if (rsa)
{
RSA_free(rsa);
}
}
#endif
Because ec_key, exp, and rsa contain garbage from the stack, calling EC_KEY_free(), BN_free(), or RSA_free() with these arbitrary addresses results in undefined behavior, memory corruption, and potential crashes.
Thanks a lot for the report.
Fixed in 0783764ef5604.