Skip to content

Fix correctness findings from penpal testing #3235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
prasden merged 9 commits into from
May 19, 2026
Merged

Fix correctness findings from penpal testing #3235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c3384f3
Fix small correctness issues from pen-test
prasden May 8, 2026
5fbddba
Merge branch 'main' into penpal-correctness-fixes
prasden May 8, 2026
5ec46ff
Merge branch 'main' into penpal-correctness-fixes
prasden May 8, 2026
98a3f76
Change i to long and add overflow check before return
prasden May 8, 2026
5754270
Merge branch 'main' into penpal-correctness-fixes
prasden May 11, 2026
dfd3e09
Merge branch 'main' into penpal-correctness-fixes
prasden May 12, 2026
1a3da6e
Merge branch 'main' into penpal-correctness-fixes
prasden May 12, 2026
02242e8
remove redundant check
prasden May 12, 2026
3fe1789
Merge branch 'main' into penpal-correctness-fixes
prasden May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions crypto/bio/bio.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,9 @@ int BIO_write(BIO *bio, const void *in, int inl) {
}

int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_bytes) {
if (written_bytes != NULL) {
*written_bytes = 0;
}
if (bio == NULL) {
OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);
return 0;
Expand All @@ -322,9 +325,6 @@ int BIO_write_ex(BIO *bio, const void *data, size_t data_len, size_t *written_by
}
return 1;
} else {
if (written_bytes != NULL) {
*written_bytes = 0;
}
return 0;
}
}
Expand Down
5 changes: 5 additions & 0 deletions crypto/conf/conf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,11 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) {
// we now have a line with trailing \r\n removed

// i is the number of bytes
// Ensure addition doesn't overflow and corrupt the signed buffer position
if (i > INT_MAX - bufnum) {
OPENSSL_PUT_ERROR(CONF, ERR_R_OVERFLOW);
goto err;
}
bufnum += i;

v = NULL;
Expand Down
1 change: 1 addition & 0 deletions crypto/fipsmodule/bn/bytes.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
return NULL;
}
ret->width = (int)num_words;
ret->neg = 0;

bn_little_endian_to_words(ret->d, ret->width, in, len);

Expand Down
9 changes: 7 additions & 2 deletions crypto/pem/pem_lib.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,7 +483,8 @@ int PEM_write(FILE *fp, const char *name, const char *header,

int PEM_write_bio(BIO *bp, const char *name, const char *header,
const unsigned char *data, long len) {
int nlen, n, i, j, outl;
int nlen, n, outl;
Comment thread
prasden marked this conversation as resolved.
Comment thread
prasden marked this conversation as resolved.
Comment thread
prasden marked this conversation as resolved.
long i, j;
Comment thread
prasden marked this conversation as resolved.
Comment thread
prasden marked this conversation as resolved.
unsigned char *buf = NULL;
EVP_ENCODE_CTX ctx;
int reason = ERR_R_BUF_LIB;
Expand Down Expand Up @@ -533,7 +534,11 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header,
(BIO_write(bp, "-----\n", 6) != 6)) {
goto err;
}
return i + outl;
if (i + outl > INT_MAX) {
reason = ERR_R_OVERFLOW;
goto err;
}
return (int)(i + outl);
err:
if (buf) {
OPENSSL_free(buf);
Expand Down
8 changes: 8 additions & 0 deletions crypto/x509/x_crl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL);
if (crl->idp != NULL) {
if (!setup_idp(crl, crl->idp)) {
ISSUING_DIST_POINT_free(crl->idp);
crl->idp = NULL;
return 0;
}
} else if (i != -1) {
Expand All @@ -147,6 +149,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
crl->akid =
X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &i, NULL);
if (crl->akid == NULL && i != -1) {
ISSUING_DIST_POINT_free(crl->idp);
crl->idp = NULL;
return 0;
}

Expand All @@ -169,6 +173,10 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
}

if (!crl_parse_entry_extensions(crl)) {
AUTHORITY_KEYID_free(crl->akid);
crl->akid = NULL;
ISSUING_DIST_POINT_free(crl->idp);
crl->idp = NULL;
return 0;
}

Expand Down
Loading