EVP* function results in lib/util/digest_openssl.c are not checked
ngie-eign opened this issue · 1 comments
Coverity reported the fact that the results of EVP_DigestInit_ex
and EVP_DigestFinal_ex
are not checked. In the event that the md
provided is invalid and the corresponding ctx
is not checked, attempting to use ctx
after the fact can result in semi-undefined behavior (SIGBUS, SIGSEGV crash, etc).
These issues were reported by Coverity.
sudo/lib/util/digest_openssl.c
Line 146 in 648ce41
sudo/lib/util/digest_openssl.c
Line 156 in 648ce41
This is a false positive. The call to EVP_DigestInit_ex() in sudo_digest_alloc_v1() is checked. The call in sudo_digest_reset_v1() is not checked because it cannot fail since it is preceded by a call to EVP_MD_CTX_reset() so there is no additional memory to allocate. The md in the call to EVP_DigestFinal_ex() is a result variable, it is not a EVP_MD. Even if EVP_DigestFinal_ex() were to fail it would just fail to fill in md, not crash.