From d213317da6065e3c1a149fac33fd16db500b60f6 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Fri, 28 Sep 2018 12:27:48 -0400 Subject: Avoid null pointer write in FFI If a function returning variable length output was called with a null output buffer but a non-zero output buffer length, FFI layer would call memset(nullptr, 0, buffer_len) and crash. Caught by Coverity. --- src/lib/ffi/ffi_util.h | 5 ++++- src/tests/test_ffi.cpp | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/lib/ffi/ffi_util.h b/src/lib/ffi/ffi_util.h index 684b25870..f72af0a63 100644 --- a/src/lib/ffi/ffi_util.h +++ b/src/lib/ffi/ffi_util.h @@ -128,7 +128,10 @@ inline int write_output(uint8_t out[], size_t* out_len, const uint8_t buf[], siz } else { - Botan::clear_mem(out, avail); + if(out != nullptr) + { + Botan::clear_mem(out, avail); + } return BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE; } } diff --git a/src/tests/test_ffi.cpp b/src/tests/test_ffi.cpp index 6687697cb..aca2dbfb9 100644 --- a/src/tests/test_ffi.cpp +++ b/src/tests/test_ffi.cpp @@ -328,6 +328,9 @@ class FFI_Unit_Tests final : public Test size_t date_len = 0; TEST_FFI_RC(BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE, botan_x509_cert_get_time_starts, (cert, nullptr, &date_len)); + date_len = 8; + TEST_FFI_RC(BOTAN_FFI_ERROR_INSUFFICIENT_BUFFER_SPACE, botan_x509_cert_get_time_starts, (cert, nullptr, &date_len)); + std::string date(date_len - 1, '0'); TEST_FFI_OK(botan_x509_cert_get_time_starts, (cert, &date[0], &date_len)); result.test_eq("cert valid from", date, "070719152718Z"); -- cgit v1.2.3