ravynsoft
Update openssl and other tools to add missing NULL check and avoid memleaks
Some parts of the code are missing checks for OpenSSL API return values. While a few of these issues have already been addressed in recent OpenSSL updates, others remain unfixed. The code should be updated accordingly.
Most of the bugs are from crypto/openssl/fuzz/. I'm not sure if you plan to fix them, but I’d be happy to help and can submit a PR if needed. I also notice there are some memleaks under avahi/, contrib/ and tools/, I can also submit a PR if needed.
Let's re-check once I pick up the latest latest latest upstream commits. They're usually pretty good at patching openssl. Absolutely feel free to submit patches for any bugs you find!
@icy17 Can you recheck now that we've picked up the latest stable upstream changes?
Some of the bugs have already been fixed. However, there are still null pointer dereference issues in OpenSSL. I’ve submitted a PR to the OpenSSL project to address those, but it hasn’t been merged yet. Would you like me to open a separate PR here to fix these issues in the meantime?
Also, I noticed that some of the bugs occur in the gnu, ether_reflect, libpcap, and wpa directories. Would you like me to fix those as part of this project as well?
I’ve opened a PR that fixes several missing NULL-check bugs.
In addition, I noticed a few memory leaks related to the use of pcap_compile() in the following files:
- gnu/usr.bin/avahi/avahi-autoipd/main.c
- tools/tools/ether_reflect/ether_reflect.c
- contrib/libpcap/testprogs/selpolltest.c
- contrib/libpcap/testprogs/valgrindtest.c
- contrib/wpa/src/l2_packet/l2_packet_winpcap.c
- contrib/wpa/src/l2_packet/l2_packet_freebsd.c
After calling pcap_compile(), there is no corresponding call to pcap_freecode() to release the second parameter, which can cause a memory leak.
I’m just reporting these potential issues. I’m not very familiar with this part of the code, so I’m not sure about the correct way to fix them.