tr_create_dh_params does not return when it should
Bug #1730679 reported by
Stefan Paetow
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Moonshot Trust-Router |
Fix Released
|
High
|
Jennifer Richards | ||
Bug Description
The tr_create_dh_params function (in common/tr_dh.c) defines the following at the top of the function (from line 94 onwards):
if (NULL == (dh = DH_new()))
return NULL;
if ((NULL == (dh->g = BN_new())) ||
(NULL == (dh->p = BN_new())) ||
(NULL == (dh->q = BN_new()))) {
DH_free(dh);
}
BN_set_
dh->p = BN_bin2bn(
BN_rshift1(dh->q, dh->p);
The first if () is uncontroversial. It is pretty clear. However, the second does not return after freeing the 'dh' structure... I'm sure it's never happened before that BN_new() returns a failure (NULL), but this would cause a crash, no?
Should there be a 'return NULL;' after the 'DH_free(dh);' line? I suspect yes?
| description: | updated |
Revision history for this message
| Jennifer Richards (jennifer-k) wrote | #1 |
Revision history for this message
| Jennifer Richards (jennifer-k) wrote | #2 |
Revision history for this message
| Jennifer Richards (jennifer-k) wrote | #3 |
| Changed in moonshot-tr: | |
| status: | New → Fix Committed |
| assignee: | nobody → Jennifer Richards (jennifer-k) |
Revision history for this message
| Stefan Paetow (stefan-paetow) wrote | #4 |
| information type: | Private Security → Public |
| Changed in moonshot-tr: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Yes, I would expect this to cause a segmentation fault. It should return failure as you suggest.