Re: [1.0.2 beta 1] double free when using CMS with OAEP

Mon, 12 May 2014 06:41:24 -0700 

Thanks! I guess if I had debugged more I would have seen that the invalid-freed 
pointer (and not *double*-freed like I assumed) corresponded to the label. I 
kept wondering what that "address is on thread 1's stack" referred to... Quite 
obvious in hindsight.

I just tried to allocate the label with OPENSSL_malloc and everything worked 
smoothly (also works with regular malloc). Thanks again! And sorry for the 
half-assed debugging.



----- Original Message -----
From: "Dr. Stephen Henson" <st...@openssl.org>
To: openssl-users@openssl.org
Sent: Monday, May 12, 2014 3:22:44 PM
Subject: Re: [1.0.2 beta 1] double free when using CMS with OAEP

On Mon, May 12, 2014, Kevin Le Gouguec wrote:

> (This is on 1.0.2 beta 1 as found on openssl.org/source)
> 
> I'm getting a double free error when building a CMS EnvelopedData with RSA 
> OAEP. Here's how I'm setting things up (error checking left out for brevity):
> 
> 
>   unsigned char oaep_label[] = "BLORG";
>   size_t oaep_label_l = sizeof(oaep_label);
>   EVP_PKEY_CTX* wrap_ctx = CMS_RecipientInfo_get0_pkey_ctx(r_info);
>   if (!wrap_ctx) {
>     printf("oh noes! no wrap ctx :(\n");
>     goto end;
>   }
>   if (EVP_PKEY_CTX_set_rsa_padding(wrap_ctx, RSA_PKCS1_OAEP_PADDING)<1)
>     OSSL_FAIL;
>   if (EVP_PKEY_CTX_set_rsa_oaep_md(wrap_ctx, EVP_sha256())<1)
>     OSSL_FAIL;
>   if (EVP_PKEY_CTX_set_rsa_mgf1_md(wrap_ctx, EVP_sha256())<1)
>     OSSL_FAIL;
>   if (EVP_PKEY_CTX_set0_rsa_oaep_label(wrap_ctx, oaep_label, oaep_label_l)<1)
>     OSSL_FAIL;
> 

You problem is the OAEP label. The "set0" in the function name means the
pointer is used and freed internally by OpenSSL and shouldn't be freed
outside. In this case the label hasn't been allocated using OPENSSL_malloc so
you'll get a problem when OpenSSL tries to free it.

If you allocate a buffer for the OAEP label using OPENSSL_malloc and pass that
you should have no problem.

See:

http://www.openssl.org/docs/crypto/crypto.html#NOTES

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to