This is a multi-part message in MIME format...

------------=_1182237555-32566-1
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi

=20

I came across some un-initialized variables in openssl 0.9.8e source code
while debugging globus toolkit application crash dump using valgrind. Tho=
ugh
globus toolkit is using openssl 0.9.7d version, I found that there was ve=
ry
minimum change in these source code files.

There may be general problem in openssl source code where all variables o=
f a
structure are not initialized after allocating space using OPENSSL_malloc=
().
I found that source code is not initializing allocated structure variable=
s
uniformly (either using memset() or initialize individual variable) after
OPENSSL_malloc(). Let me know if I can contribute to resolve this problem=
..

=20

These are the files I analyzed.

=20

crypto/ui/ui_lib.c: UI *UI_new_method(const UI_METHOD *method)
i.e. un-initialized flags variable in UI structure

crypto/bn/bn_lib.c: BIGNUM *BN_new(void)

crypto/bn/bn_mont.c: BN_MONT_CTX *BN_MONT_CTX_new(void)
i.e. un-initialized n0 variable in BN_MONT_CTX structure

=20

Finally I changed the crypto/mem.c so that the OPENSSL_malloc() allocates
memory using calloc() instead of malloc().

=20

New static calloc definitions:

=20

static void *(*calloc_func)(size_t, size_t) =3D calloc;

static void *default_calloc_ex(size_t nmemb, size_t num, const char *file=
,
int line)

{ return calloc_func(nmemb, num); }

static void *(*calloc_ex_func)(size_t, size_t, const char *file, int line=
)

=3D default_calloc_ex;

=20

and CRYPTO_malloc() where I replaced a statement as shown below.

=20

void *CRYPTO_malloc(int num, const char *file, int line)

{

void *ret =3D NULL;

extern unsigned char cleanse_ctr;

=20

if (num <=3D 0) return NULL;

=20

allow_customize =3D 0;

if (malloc_debug_func !=3D NULL)

{

allow_customize_debug =3D 0;

malloc_debug_func(NULL, num, file, line, 0);

}

ret =3D calloc_ex_func(num, 1,file,line);
/* REPLACED HERE: ret =3D malloc_ex_func(num, 1,file,line); */

#ifdef LEVITTE_DEBUG_MEM

fprintf(stderr, "LEVITTE_DEBUG_MEM: > 0x%p (%d)\n", ret, num)=
;

#endif=20

if (malloc_debug_func !=3D NULL)

malloc_debug_func(ret, num, file, line, 1);

=20

/* Create a dependency on the value of 'cleanse_ctr' so our memor=
y

* sanitisation function can't be optimised out. NB: We only do

* this for >2Kb so the overhead doesn't bother us. */

if(ret && (num > 2048))

((unsigned char *)ret)[0] =3D cleanse_ctr;

=20

return ret;

}=20

=20

Thanks

=20

SAM SHARMA



------------=_1182237555-32566-1
Content-Type: text/html; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
RT-Attachment: 1544/16804/6830

















Hi



 



I came across some un-initialized variables in openssl 0.9.8e
source code while debugging globus toolkit application crash dump using
valgrind. Though globus toolkit is using openssl 0.9.7d version, I found that there
was very minimum change in these source code files.



There may be general problem in openssl source code where all variables of a structure
are not initialized after allocating space using OPENSSL_malloc(). I found that
source code is not initializing allocated structure variables uniformly (either
using memset() or initialize individual variable) after OPENSSL_malloc(). Let
me know if I can contribute to resolve this problem.



 



These are the files I analyzed.



 



crypto/ui/ui_lib.c:           UI
*UI_new_method(const UI_METHOD *method) i.e. un-initialized flags variable in
UI structure



crypto/bn/bn_lib.c:         BIGNUM
*BN_new(void)



crypto/bn/bn_mont.c:     BN_MONT_CTX *BN_MONT_CTX_new(void)                     i.e.
un-initialized n0 variable in BN_MONT_CTX structure



 



Finally I changed the crypto/mem.c so that the OPENSSL_malloc()
allocates memory using calloc() instead of malloc().



 



New static calloc definitions:



 



static void *(*calloc_func)(size_t, size_t)        
= calloc;



static void *default_calloc_ex(size_t nmemb, size_t num,
const char *file, int line)



    { return calloc_func(nmemb, num); }



static void *(*calloc_ex_func)(size_t, size_t, const char
*file, int line)



        = default_calloc_ex;



 



and CRYPTO_malloc() where I replaced a statement as shown
below.



 



void *CRYPTO_malloc(int num, const char *file, int line)



    {



    void *ret = NULL;



    extern unsigned char cleanse_ctr;



 



    if (num <= 0) return NULL;



   



    allow_customize = 0;



    if (malloc_debug_func != NULL)



        {



        allow_customize_debug
= 0;



        malloc_debug_func(NULL,
num, file, line, 0);



        }



    ret = calloc_ex_func(num, 1,file,line);                                                    /*
REPLACED HERE: ret = malloc_ex_func(num, 1,file,line); */



#ifdef LEVITTE_DEBUG_MEM



    fprintf(stderr,
"LEVITTE_DEBUG_MEM:         >
0x%p (%d)\n", ret, num);



#endif



    if (malloc_debug_func != NULL)



        malloc_debug_func(ret,
num, file, line, 1);



   



        /* Create a
dependency on the value of 'cleanse_ctr' so our memory



         * sanitisation
function can't be optimised out. NB: We only do



         * this for
>2Kb so the overhead doesn't bother us. */



        if(ret &&
(num > 2048))



               
((unsigned char *)ret)[0] = cleanse_ctr;



 



    return ret;



    }



 



Thanks



 



SAM SHARMA









------------=_1182237555-32566-1--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org