Skip to content
Permalink
Browse files

Fix use-after-free crash in openssl backend without memory leak

  • Loading branch information
Hans Meier
Hans Meier committed Dec 16, 2019
1 parent 24fd419 commit d556b053abbe6ec326b4331e0bec829acfbd9274
Showing with 21 additions and 21 deletions.
  1. +21 −21 src/openssl.c
@@ -433,6 +433,12 @@ _libssh2_cipher_crypt(_libssh2_cipher_ctx * ctx,
return ret == 1 ? 0 : 1;
}

#ifndef HAVE_EVP_AES_128_CTR
static EVP_CIPHER * aes_128_ctr_cipher = NULL;
static EVP_CIPHER * aes_192_ctr_cipher = NULL;
static EVP_CIPHER * aes_256_ctr_cipher = NULL;
#endif

#if LIBSSH2_AES_CTR && !defined(HAVE_EVP_AES_128_CTR)

#include <openssl/aes.h>
@@ -589,49 +595,46 @@ const EVP_CIPHER *
_libssh2_EVP_aes_128_ctr(void)
{
#ifdef HAVE_OPAQUE_STRUCTS
EVP_CIPHER * aes_ctr_cipher;
return make_ctr_evp(16, &aes_ctr_cipher, NID_aes_128_ctr);
return !aes_128_ctr_cipher ?
make_ctr_evp(16, &aes_128_ctr_cipher, NID_aes_128_ctr) : aes_128_ctr_cipher;
#else
static EVP_CIPHER aes_ctr_cipher;
EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return make_ctr_evp(16, &aes_ctr_cipher_ptr, 0);
static EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return !aes_ctr_cipher.key_len ?
make_ctr_evp(16, &aes_ctr_cipher_ptr, 0) : &aes_ctr_cipher;
#endif
}

const EVP_CIPHER *
_libssh2_EVP_aes_192_ctr(void)
{
#ifdef HAVE_OPAQUE_STRUCTS
EVP_CIPHER * aes_ctr_cipher;
return make_ctr_evp(24, &aes_ctr_cipher, NID_aes_192_ctr);
return !aes_192_ctr_cipher ?
make_ctr_evp(24, &aes_192_ctr_cipher, NID_aes_192_ctr) : aes_192_ctr_cipher;
#else
static EVP_CIPHER aes_ctr_cipher;
EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return make_ctr_evp(24, &aes_ctr_cipher_ptr, 0);
static EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return !aes_ctr_cipher.key_len ?
make_ctr_evp(24, &aes_ctr_cipher_ptr, 0) : &aes_ctr_cipher;
#endif
}

const EVP_CIPHER *
_libssh2_EVP_aes_256_ctr(void)
{
#ifdef HAVE_OPAQUE_STRUCTS
EVP_CIPHER * aes_ctr_cipher;
return make_ctr_evp(32, &aes_ctr_cipher, NID_aes_256_ctr);
return !aes_256_ctr_cipher ?
make_ctr_evp(32, &aes_256_ctr_cipher, NID_aes_256_ctr) : aes_256_ctr_cipher;
#else
static EVP_CIPHER aes_ctr_cipher;
EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return make_ctr_evp(32, &aes_ctr_cipher_ptr, 0);
static EVP_CIPHER * aes_ctr_cipher_ptr = &aes_ctr_cipher;
return !aes_ctr_cipher.key_len ?
make_ctr_evp(32, &aes_ctr_cipher_ptr, 0) : &aes_ctr_cipher;
#endif
}

#endif /* LIBSSH2_AES_CTR */

#ifndef HAVE_EVP_AES_128_CTR
static EVP_CIPHER * aes_128_ctr_cipher = NULL;
static EVP_CIPHER * aes_192_ctr_cipher = NULL;
static EVP_CIPHER * aes_256_ctr_cipher = NULL;
#endif

void _libssh2_openssl_crypto_init(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
@@ -650,11 +653,8 @@ void _libssh2_openssl_crypto_init(void)
#endif
#endif
#ifndef HAVE_EVP_AES_128_CTR
if(!aes_128_ctr_cipher)
aes_128_ctr_cipher = (EVP_CIPHER *) _libssh2_EVP_aes_128_ctr();
if(!aes_192_ctr_cipher)
aes_192_ctr_cipher = (EVP_CIPHER *) _libssh2_EVP_aes_192_ctr();
if(!aes_256_ctr_cipher)
aes_256_ctr_cipher = (EVP_CIPHER *) _libssh2_EVP_aes_256_ctr();
#endif
}

0 comments on commit d556b05

Please sign in to comment.
You can’t perform that action at this time.