[Issue 10224] New: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library

5 Jun 2024


      https://bugs.openldap.org/show_bug.cgi?id=10224
Issue ID: 10224
           Summary: tlso_session_pinning: return codes from EVP* calls are
                    not checked; can result in crashes or undefined
                    behavior in library
           Product: OpenLDAP
           Version: 2.6.7
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: libraries
          Assignee: bugs@openldap.org
          Reporter: yaneurabeya@gmail.com
  Target Milestone: ---
EVP* calls made in tlso_session_pinning on lines 1189-1191 [1] are not checked
when computing the digest which is eventually placed in `keyhash.bv_val` on
line [2].
Not checking the EVP* calls can result in undefined behavior, e.g., a library
crash with SIGBUS, SIGSEGV, etc, and/or incorrect results when analyzing
`keyhash.bv_val` later.
The calls should be checked to avoid this scenario.
Reported by Coverity.
1.
https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5f...
2.
https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5f...
-- 
You are receiving this mail because:
You are on the CC list for the issue.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Issue 10224] New: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library