New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: Malloc/Calloc size 0 returns non-null pointer #8572

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
8 participants
@Trott
Member

Trott commented Sep 17, 2016

Checklist
  • make -j4 test (UNIX), or vcbuild test nosign (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines
Affected core subsystem(s)

crypto

Description of change

crypto.pbkdf2() with empty password and/or salt causes a fatal error in
Node.js 6.6.0. It did not in 6.5.0. The problematic change is
a00ccb0. We still need to review other
changes in that change set, but this is a test and fix for the specific
issue reported in #8571.

The problem is that malloc(0) may return NULL on some platforms. So
do not report out-of-memory error unless malloc was passed a number
greater than 0.

Fixes: #8571

@Trott

This comment has been minimized.

Show comment
Hide comment
@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Sep 17, 2016

Contributor

I should point out that there's also a behavior change here, since before the introduction of node::Malloc(), a Buffer would actually get passed to the crypto.pbkdf2() callback, and now with this PR it would get passed an Error instead.

Contributor

mscdex commented Sep 17, 2016

I should point out that there's also a behavior change here, since before the introduction of node::Malloc(), a Buffer would actually get passed to the crypto.pbkdf2() callback, and now with this PR it would get passed an Error instead.

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 17, 2016

Member

There's also a behavior change

Yes, that's correct. I didn't consider that. Thanks for pointing it out.

I wonder if the best path is to revert a00ccb0 in the 6.x line and release 6.6.1 soon.

Meanwhile, leave a00ccb0 along with this change in 7.x. And of course review the other instances of nullptr checks...

Member

Trott commented Sep 17, 2016

There's also a behavior change

Yes, that's correct. I didn't consider that. Thanks for pointing it out.

I wonder if the best path is to revert a00ccb0 in the 6.x line and release 6.6.1 soon.

Meanwhile, leave a00ccb0 along with this change in 7.x. And of course review the other instances of nullptr checks...

Show outdated Hide outdated src/node_crypto.cc Outdated
@bnoordhuis

This comment has been minimized.

Show comment
Hide comment
@bnoordhuis

bnoordhuis Sep 17, 2016

Member

I wonder if the best path is to revert a00ccb0 in the 6.x line and release 6.6.1 soon.

The code that it replaced was broken anyway because it relied on implementation-specific behavior.

If you are worried about regressions, a better fix is to avoid zero-sized allocations like this:

diff --git a/src/util-inl.h b/src/util-inl.h
index 5644ee9..31411bb 100644
--- a/src/util-inl.h
+++ b/src/util-inl.h
@@ -246,11 +246,13 @@ void* Realloc(void* pointer, size_t size) {

 // As per spec realloc behaves like malloc if passed nullptr.
 void* Malloc(size_t size) {
+  if (size == 0) size = 1;
   return Realloc(nullptr, size);
 }

 void* Calloc(size_t n, size_t size) {
-  if ((n == 0) || (size == 0)) return nullptr;
+  if (n == 0) n = 1;
+  if (size == 0) size = 1;
   CHECK_GE(n * size, n);  // Overflow guard.
   return calloc(n, size);
 }
Member

bnoordhuis commented Sep 17, 2016

I wonder if the best path is to revert a00ccb0 in the 6.x line and release 6.6.1 soon.

The code that it replaced was broken anyway because it relied on implementation-specific behavior.

If you are worried about regressions, a better fix is to avoid zero-sized allocations like this:

diff --git a/src/util-inl.h b/src/util-inl.h
index 5644ee9..31411bb 100644
--- a/src/util-inl.h
+++ b/src/util-inl.h
@@ -246,11 +246,13 @@ void* Realloc(void* pointer, size_t size) {

 // As per spec realloc behaves like malloc if passed nullptr.
 void* Malloc(size_t size) {
+  if (size == 0) size = 1;
   return Realloc(nullptr, size);
 }

 void* Calloc(size_t n, size_t size) {
-  if ((n == 0) || (size == 0)) return nullptr;
+  if (n == 0) n = 1;
+  if (size == 0) size = 1;
   CHECK_GE(n * size, n);  // Overflow guard.
   return calloc(n, size);
 }
@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax

addaleax Sep 17, 2016

Member

I’m marking #8482 as blocked while this discussion is ongoing. This change LGTM as it is, and I actually do like @yorkie’s idea, too. If it still makes sense, I’d definitely want to implement that on top of #8482.

Member

addaleax commented Sep 17, 2016

I’m marking #8482 as blocked while this discussion is ongoing. This change LGTM as it is, and I actually do like @yorkie’s idea, too. If it still makes sense, I’d definitely want to implement that on top of #8482.

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 18, 2016

Member

I think I like @bnoordhuis's suggestion above best. That would unblock #8482 as well? Or not quite?

Member

Trott commented Sep 18, 2016

I think I like @bnoordhuis's suggestion above best. That would unblock #8482 as well? Or not quite?

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 18, 2016

Member

Updated with @bnoordhuis's suggestion for a more complete fix. The test added here works in 6.5.0, fails in 6.6.0, and passes again with the change here, all as expected. PTAL /cc @mhdawson

So that's a fix for the 6.x line. I guess the next question is whether we want behavior to be unchanged in 7.x or if we want the crypto library to emit an error event in this situation. If there's no compelling reason to make a breaking change like that in v7, then I guess this is good for both lines...

Member

Trott commented Sep 18, 2016

Updated with @bnoordhuis's suggestion for a more complete fix. The test added here works in 6.5.0, fails in 6.6.0, and passes again with the change here, all as expected. PTAL /cc @mhdawson

So that's a fix for the 6.x line. I guess the next question is whether we want behavior to be unchanged in 7.x or if we want the crypto library to emit an error event in this situation. If there's no compelling reason to make a breaking change like that in v7, then I guess this is good for both lines...

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 18, 2016

Member

By the way, is there an existing reasonable place to drop a C++ test that calls Malloc() and Calloc() with zeroes and confirms that it does not get a null pointer? (You'd think I'd know the answer to that question....)

Member

Trott commented Sep 18, 2016

By the way, is there an existing reasonable place to drop a C++ test that calls Malloc() and Calloc() with zeroes and confirms that it does not get a null pointer? (You'd think I'd know the answer to that question....)

@yorkie

This comment has been minimized.

Show comment
Hide comment
@yorkie

yorkie Sep 19, 2016

Member

@Trott Shouldn't we open another pull-request to change Malloc/Calloc functions and merge it ASAP before this gets merged? This one seems not KISS enough :(

Member

yorkie commented Sep 19, 2016

@Trott Shouldn't we open another pull-request to change Malloc/Calloc functions and merge it ASAP before this gets merged? This one seems not KISS enough :(

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 19, 2016

Member

@yorkie The only thing I see that's optional is the var->const and equal()->strictEqual() changes. I'll pull those out to make this as minimal as possible.

Member

Trott commented Sep 19, 2016

@yorkie The only thing I see that's optional is the var->const and equal()->strictEqual() changes. I'll pull those out to make this as minimal as possible.

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 19, 2016

Member

Removed superfluous style changes, edited commit message, squashed, force pushed. PTAL.

Member

Trott commented Sep 19, 2016

Removed superfluous style changes, edited commit message, squashed, force pushed. PTAL.

@Trott

This comment has been minimized.

Show comment
Hide comment
@yorkie

This comment has been minimized.

Show comment
Hide comment
@yorkie

yorkie Sep 19, 2016

Member

@Trott What I did mean is that you did write in the commit message as:

Change Malloc()/Calloc() so that size zero does not return a null
pointer, consistent with prior behavior.

This change seems a side-effect and it'd better to land in another PR? Of course this is a friendly suggestion, both are reasonable :)

Member

yorkie commented Sep 19, 2016

@Trott What I did mean is that you did write in the commit message as:

Change Malloc()/Calloc() so that size zero does not return a null
pointer, consistent with prior behavior.

This change seems a side-effect and it'd better to land in another PR? Of course this is a friendly suggestion, both are reasonable :)

@bnoordhuis

This comment has been minimized.

Show comment
Hide comment
@bnoordhuis

bnoordhuis Sep 19, 2016

Member

is there an existing reasonable place to drop a C++ test that calls Malloc() and Calloc() with zeroes and confirms that it does not get a null pointer?

test/cctest/util.cc

Member

bnoordhuis commented Sep 19, 2016

is there an existing reasonable place to drop a C++ test that calls Malloc() and Calloc() with zeroes and confirms that it does not get a null pointer?

test/cctest/util.cc

@addaleax

This change seems a side-effect and it'd better to land in another PR? Of course this is a friendly suggestion, both are reasonable :)

Maybe just split into two commits? And don’t worry about #8482, I’ll rebase on whatever comes out of this change.

@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Sep 19, 2016

Contributor

What does everyone think about just returning a static 1-byte sized buffer on request of a zero-length chunk of memory? That way we definitely only allocate a 1-byte sized buffer once.

Contributor

mscdex commented Sep 19, 2016

What does everyone think about just returning a static 1-byte sized buffer on request of a zero-length chunk of memory? That way we definitely only allocate a 1-byte sized buffer once.

@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax

addaleax Sep 19, 2016

Member

@mscdex That’s basically @yorkie’s idea from above, right? I’d still be on board with that.

Member

addaleax commented Sep 19, 2016

@mscdex That’s basically @yorkie’s idea from above, right? I’d still be on board with that.

@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Sep 19, 2016

Contributor

@addaleax Basically, yes.

Contributor

mscdex commented Sep 19, 2016

@addaleax Basically, yes.

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 19, 2016

Member

If someone else wants to take over this PR to add the "only allocate a pointer once" business (file a separate PR or push a change to this branch or whatever), that would be great.

(Feel free to just take any of the 12 lines of code here that's useful to you, nearly half of which I didn't write anyway. :-D )

Member

Trott commented Sep 19, 2016

If someone else wants to take over this PR to add the "only allocate a pointer once" business (file a separate PR or push a change to this branch or whatever), that would be great.

(Feel free to just take any of the 12 lines of code here that's useful to you, nearly half of which I didn't write anyway. :-D )

@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Sep 19, 2016

Contributor

Now that I think about it, there would be more work involved if we used a static buffer to make sure no call to free() happens on it. This would require either prefixing every free() with a conditional or adding a node::Free() that replaces free() calls. In the latter case we could then just easily compare pointers to know whether to actually call free or not.

Contributor

mscdex commented Sep 19, 2016

Now that I think about it, there would be more work involved if we used a static buffer to make sure no call to free() happens on it. This would require either prefixing every free() with a conditional or adding a node::Free() that replaces free() calls. In the latter case we could then just easily compare pointers to know whether to actually call free or not.

@mscdex mscdex referenced this pull request Sep 20, 2016

Closed

src: return static buffer on malloc(0) #8658

3 of 3 tasks complete
@mscdex

This comment has been minimized.

Show comment
Hide comment
@mscdex

mscdex Sep 20, 2016

Contributor

I submitted the alternate solution in #8658.

Contributor

mscdex commented Sep 20, 2016

I submitted the alternate solution in #8658.

@yorkie

This comment has been minimized.

Show comment
Hide comment
@yorkie

yorkie Sep 20, 2016

Member

+1 on @mscdex's patch :)

Member

yorkie commented Sep 20, 2016

+1 on @mscdex's patch :)

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 20, 2016

Member

I'm going to close this in favor of #8658. If anyone thinks that's a mistake for whatever reason, feel free to comment or re-open.

Member

Trott commented Sep 20, 2016

I'm going to close this in favor of #8658. If anyone thinks that's a mistake for whatever reason, feel free to comment or re-open.

@Trott Trott closed this Sep 20, 2016

@addaleax addaleax reopened this Sep 20, 2016

@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 20, 2016

Member

OK, so this is open again, and there's one LGTM from @addaleax. Anyone else want to either add an LGTM or express concern that this isn't the way to go? @bnoordhuis? @jasnell? @mscdex? @yorkie?

Member

Trott commented Sep 20, 2016

OK, so this is open again, and there's one LGTM from @addaleax. Anyone else want to either add an LGTM or express concern that this isn't the way to go? @bnoordhuis? @jasnell? @mscdex? @yorkie?

@jasnell

This comment has been minimized.

Show comment
Hide comment
@jasnell

jasnell Sep 21, 2016

Member

LGTM

Member

jasnell commented Sep 21, 2016

LGTM

@yorkie

This comment has been minimized.

Show comment
Hide comment
@yorkie

yorkie Sep 21, 2016

Member

LGTM, too

Member

yorkie commented Sep 21, 2016

LGTM, too

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: #8571
@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 21, 2016

Member

I added some C++ tests. PTAL. (Thanks, @bnoordhuis and @addaleax!)

CI: https://ci.nodejs.org/job/node-test-pull-request/4196/

Member

Trott commented Sep 21, 2016

I added some C++ tests. PTAL. (Thanks, @bnoordhuis and @addaleax!)

CI: https://ci.nodejs.org/job/node-test-pull-request/4196/

@addaleax

This comment has been minimized.

Show comment
Hide comment
@addaleax

addaleax Sep 21, 2016

Member

Still LGTM! :)

Member

addaleax commented Sep 21, 2016

Still LGTM! :)

@Trott Trott changed the title from crypto: fix pbkdf2() with empty strings to src: Malloc/Calloc size 0 returns non-null pointer Sep 21, 2016

@mhdawson

This comment has been minimized.

Show comment
Hide comment
@mhdawson

mhdawson Sep 21, 2016

Member

Sorry for the late response, just catching up from being away. LGTM from me.

Member

mhdawson commented Sep 21, 2016

Sorry for the late response, just catching up from being away. LGTM from me.

Trott added a commit to Trott/io.js that referenced this pull request Sep 22, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: nodejs#8571
PR-URL: nodejs#8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
@Trott

This comment has been minimized.

Show comment
Hide comment
@Trott

Trott Sep 22, 2016

Member

Landed in d2eb7ce

Member

Trott commented Sep 22, 2016

Landed in d2eb7ce

@Trott Trott closed this Sep 22, 2016

MylesBorins added a commit that referenced this pull request Sep 23, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: #8571
PR-URL: #8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

MylesBorins added a commit that referenced this pull request Sep 26, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: #8571
PR-URL: #8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

evanlucas added a commit that referenced this pull request Sep 28, 2016

2016-09-27, Version 6.7.0 (Current)
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable Changes

Semver Minor:

* openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
    CVE-2016-6304 ("OCSP Status Request extension unbounded memory
    growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
    (Shigeki Ohtsu) #8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
    a crash when using CRLs, CVE-2016-7052.
    (Shigeki Ohtsu) #8786
  - Remove support for loading dynamic third-party engine modules.
    An attacker may be able to hide malicious code to be inserted
    into Node.js at runtime by masquerading as one of the dynamic
    engine modules. Originally reported by Ahmed Zaki (Skype).
    (Ben Noordhuis) nodejs-private/node-private#73
* http: CVE-2016-5325 - Properly validate for allowable characters in
  the `reason` argument in `ServerResponse#writeHead()`. Fixes a
  possible response splitting attack vector. This introduces a new
  case where `throw` may occur when configuring HTTP responses, users
  should already be adopting try/catch here. Originally reported
  independently by Evan Lucas and Romain Gaucher.
  (Evan Lucas) nodejs-private/node-private#60

Semver Patch:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated.
  (Сковорода Никита Андреевич) nodejs-private/node-private#64
* src: Fix regression where passing an empty password and/or salt to
  crypto.pbkdf2() would cause a fatal error
  (Rich Trott) #8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in the
  wildcard string. Originally reported by Alexander Minozhenko and
  James Bunton (Atlassian).
  (Ben Noordhuis) nodejs-private/node-private#75
* v8: Fix regression where a regex on a frozen object was broken
  (Myles Borins) #8673

imyller added a commit to imyller/meta-nodejs that referenced this pull request Sep 28, 2016

2016-09-27, Version 6.7.0 (Current)
    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
    for details on patched vulnerabilities.

    Notable Changes

    Semver Minor:

    * openssl:
      - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
        CVE-2016-6304 ("OCSP Status Request extension unbounded memory
        growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
        (Shigeki Ohtsu) nodejs/node#8714
      - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
        a crash when using CRLs, CVE-2016-7052.
        (Shigeki Ohtsu) nodejs/node#8786
      - Remove support for loading dynamic third-party engine modules.
        An attacker may be able to hide malicious code to be inserted
        into Node.js at runtime by masquerading as one of the dynamic
        engine modules. Originally reported by Ahmed Zaki (Skype).
        (Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
    * http: CVE-2016-5325 - Properly validate for allowable characters in
      the `reason` argument in `ServerResponse#writeHead()`. Fixes a
      possible response splitting attack vector. This introduces a new
      case where `throw` may occur when configuring HTTP responses, users
      should already be adopting try/catch here. Originally reported
      independently by Evan Lucas and Romain Gaucher.
      (Evan Lucas) https://github.com/nodejs/node-private/pull/60

    Semver Patch:

    * buffer: Zero-fill excess bytes in new `Buffer` objects created with
      `Buffer.concat()` while providing a `totalLength` parameter that
      exceeds the total length of the original `Buffer` objects being
      concatenated.
      https://github.com/nodejs/node-private/pull/64
    * src: Fix regression where passing an empty password and/or salt to
      crypto.pbkdf2() would cause a fatal error
      (Rich Trott) nodejs/node#8572
    * tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid wildcard
      certificate for its hostname due to improper validation of `*.` in the
      wildcard string. Originally reported by Alexander Minozhenko and
      James Bunton (Atlassian).
      (Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
    * v8: Fix regression where a regex on a frozen object was broken
      (Myles Borins) nodejs/node#8673

Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>

imyller added a commit to imyller/meta-nodejs that referenced this pull request Sep 28, 2016

2016-09-27, Version 6.7.0 (Current)
    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
    for details on patched vulnerabilities.

    Notable Changes

    Semver Minor:

    * openssl:
      - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
        CVE-2016-6304 ("OCSP Status Request extension unbounded memory
        growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
        (Shigeki Ohtsu) nodejs/node#8714
      - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
        a crash when using CRLs, CVE-2016-7052.
        (Shigeki Ohtsu) nodejs/node#8786
      - Remove support for loading dynamic third-party engine modules.
        An attacker may be able to hide malicious code to be inserted
        into Node.js at runtime by masquerading as one of the dynamic
        engine modules. Originally reported by Ahmed Zaki (Skype).
        (Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
    * http: CVE-2016-5325 - Properly validate for allowable characters in
      the `reason` argument in `ServerResponse#writeHead()`. Fixes a
      possible response splitting attack vector. This introduces a new
      case where `throw` may occur when configuring HTTP responses, users
      should already be adopting try/catch here. Originally reported
      independently by Evan Lucas and Romain Gaucher.
      (Evan Lucas) https://github.com/nodejs/node-private/pull/60

    Semver Patch:

    * buffer: Zero-fill excess bytes in new `Buffer` objects created with
      `Buffer.concat()` while providing a `totalLength` parameter that
      exceeds the total length of the original `Buffer` objects being
      concatenated.
      https://github.com/nodejs/node-private/pull/64
    * src: Fix regression where passing an empty password and/or salt to
      crypto.pbkdf2() would cause a fatal error
      (Rich Trott) nodejs/node#8572
    * tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid wildcard
      certificate for its hostname due to improper validation of `*.` in the
      wildcard string. Originally reported by Alexander Minozhenko and
      James Bunton (Atlassian).
      (Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
    * v8: Fix regression where a regex on a frozen object was broken
      (Myles Borins) nodejs/node#8673

Signed-off-by: Ilkka Myller <ilkka.myller@nodefield.com>

jasnell added a commit that referenced this pull request Sep 29, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: #8571
PR-URL: #8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@addaleax addaleax referenced this pull request Oct 7, 2016

Closed

core: normalize malloc, realloc #7564

2 of 2 tasks complete

jasnell added a commit that referenced this pull request Oct 10, 2016

2016-09-27, Version 6.7.0 (Current)
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable Changes

Semver Minor:

* openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
    CVE-2016-6304 ("OCSP Status Request extension unbounded memory
    growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
    (Shigeki Ohtsu) #8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
    a crash when using CRLs, CVE-2016-7052.
    (Shigeki Ohtsu) #8786
  - Remove support for loading dynamic third-party engine modules.
    An attacker may be able to hide malicious code to be inserted
    into Node.js at runtime by masquerading as one of the dynamic
    engine modules. Originally reported by Ahmed Zaki (Skype).
    (Ben Noordhuis) nodejs-private/node-private#73
* http: CVE-2016-5325 - Properly validate for allowable characters in
  the `reason` argument in `ServerResponse#writeHead()`. Fixes a
  possible response splitting attack vector. This introduces a new
  case where `throw` may occur when configuring HTTP responses, users
  should already be adopting try/catch here. Originally reported
  independently by Evan Lucas and Romain Gaucher.
  (Evan Lucas) nodejs-private/node-private#60

Semver Patch:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated.
  (Сковорода Никита Андреевич) nodejs-private/node-private#64
* src: Fix regression where passing an empty password and/or salt to
  crypto.pbkdf2() would cause a fatal error
  (Rich Trott) #8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in the
  wildcard string. Originally reported by Alexander Minozhenko and
  James Bunton (Atlassian).
  (Ben Noordhuis) nodejs-private/node-private#75
* v8: Fix regression where a regex on a frozen object was broken
  (Myles Borins) #8673

addaleax added a commit to addaleax/node that referenced this pull request Nov 22, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: nodejs#8571
PR-URL: nodejs#8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

MylesBorins added a commit that referenced this pull request Nov 22, 2016

src: Malloc/Calloc size 0 returns non-null pointer
Change `Malloc()/Calloc()` so that size zero does not return a null
pointer, consistent with prior behavior.

Fixes: #8571
PR-URL: #8572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@keybase.io>
Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>

@MylesBorins MylesBorins referenced this pull request Nov 22, 2016

Merged

v4.7.0 proposal #9736

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment