Commit ece482ff authored Oct 20, 2018 by Dr. Matthias St. Pierre

RAND_add(): fix heap corruption in error path



This bug was introduced by #7382 which enhanced RAND_add() to
accept large buffer sizes. As a consequence, RAND_add() now fails
for buffer sizes less than 32 bytes (i.e. less than 256 bits).
In addition, rand_drbg_get_entropy() forgets to reset the attached
drbg->pool in the case of an error, which leads to the heap corruption.

The problem occurred with RAND_load_file(), which reads the file in
chunks of 1024 bytes each. If the size of the final chunk is less than
32 bytes, then RAND_add() fails, whence RAND_load_file() fails
silently for buffer sizes n = k * 1024 + r with r = 1,...,31.

This commit fixes the heap corruption only. The other issues will
be addressed in a separate pull request.

Thanks to Gisle Vanem for reporting this issue.

Fixes #7449

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7455)

(cherry picked from commit 5b4cb385c18a5bb4e118e300f1c746bf7c2a5628)

parent 132fd512

crypto/rand/rand_lib.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -200,6 +200,10 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
		}

		err:
		/* we need to reset drbg->pool in the error case */
		if (ret == 0 && drbg->pool != NULL)
		drbg->pool = NULL;

		rand_pool_free(pool);
		return ret;
		}