[Issue 10224] New: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library
https://bugs.openldap.org/show_bug.cgi?id=10224
Issue ID: 10224 Summary: tlso_session_pinning: return codes from EVP* calls are not checked; can result in crashes or undefined behavior in library Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: yaneurabeya@gmail.com Target Milestone: ---
EVP* calls made in tlso_session_pinning on lines 1189-1191 [1] are not checked when computing the digest which is eventually placed in `keyhash.bv_val` on line [2].
Not checking the EVP* calls can result in undefined behavior, e.g., a library crash with SIGBUS, SIGSEGV, etc, and/or incorrect results when analyzing `keyhash.bv_val` later.
The calls should be checked to avoid this scenario.
Reported by Coverity.
1. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5f... 2. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5f...
https://bugs.openldap.org/show_bug.cgi?id=10224
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #1 from Howard Chu hyc@openldap.org --- Fixed in git 1fc09713b1a958c8503f7e05c819a85594d7fda4
https://bugs.openldap.org/show_bug.cgi?id=10224
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |trivial
--- Comment #2 from Howard Chu hyc@openldap.org --- (In reply to yaneurabeya from comment #0)
Not checking the EVP* calls can result in undefined behavior, e.g., a library crash with SIGBUS, SIGSEGV, etc, and/or incorrect results when analyzing `keyhash.bv_val` later.
Nonsense. The only thing that happens with the keyhash.bv_val is to perform a memcmp, and the bv_val points to valid stack memory. SIGBUS, SIGSEGV, any crash is impossible. An incorrect result only means the session check will be rejected.
The outcome would be the same regardless of whether or not this was patched.
https://bugs.openldap.org/show_bug.cgi?id=10224
--- Comment #3 from yaneurabeya@gmail.com --- (In reply to Howard Chu from comment #1)
Fixed in git 1fc09713b1a958c8503f7e05c819a85594d7fda4
Thank you Howard.
https://bugs.openldap.org/show_bug.cgi?id=10224
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.19 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=10224
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 1d556f23 by Howard Chu at 2024-06-28T16:47:32+00:00 ITS#10224 libldap: check for OpenSSL EVP_Digest* failure
RE25:
• bee6e76c by Howard Chu at 2024-06-28T16:52:18+00:00 ITS#10224 libldap: check for OpenSSL EVP_Digest* failure
-
openldap-its@openldap.org