Red Hat Bugzilla – Bug 1284207
uninitialized variable usage with BN_with_flags
Last modified: 2016-07-19 14:31:00 EDT
Description of problem:
/* get a clone of a BIGNUM with changed flags, for *temporary* use only
* (the two BIGNUMs cannot not be used in parallel!) */
#define BN_with_flags(dest,b,n) ((dest)->d=(b)->d, \
(dest)->flags=(((dest)->flags & BN_FLG_MALLOCED) \
| ((b)->flags & ~BN_FLG_MALLOCED) \
| BN_FLG_STATIC_DATA \
BN_with_flags is then called with dest being uninitialized variable.
I didn't read enough of the code to say conclusively is double free() possible with current codebase but I'd remove that "((dest)->flags & BN_FLG_MALLOCED) |" from BN_with_flags to be sure and reduce false alarms from static analyzers.
It also uses BN_FLG_STATIC_DATA , well sure,.. openssl is so obvious 😕
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Queue could not be loaded.
Or current users of BN_with_flags could initialize flags before calling it so API stays future-compatible.
(In reply to Sami Farin from comment #1)
> Or current users of BN_with_flags could initialize flags before calling it
> so API stays future-compatible.
This is the proper fix.
Please report it upstream via mailing to email@example.com
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.