From 2f0164304794d87d8fb5cedcc40049dbc12db71d Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 1 Sep 2015 15:45:21 +0200
Subject: rand: fix null pointer dereference caused by unchecked md_init()
 return

---
 crypto/rand/md_rand.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index 5c13d57..f74ca27 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -266,7 +266,11 @@ static void ssleay_rand_add(const void *buf, int num, double add)
         j = (num - i);
         j = (j > MD_DIGEST_LENGTH) ? MD_DIGEST_LENGTH : j;
 
-        MD_Init(&m);
+        if (!MD_Init(&m)) {
+            EVP_MD_CTX_cleanup(&m);
+            if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+                return;
+        }
         MD_Update(&m, local_md, MD_DIGEST_LENGTH);
         k = (st_idx + j) - STATE_SIZE;
         if (k > 0) {
@@ -469,7 +473,11 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
         /* num_ceil -= MD_DIGEST_LENGTH/2 */
         j = (num >= MD_DIGEST_LENGTH / 2) ? MD_DIGEST_LENGTH / 2 : num;
         num -= j;
-        MD_Init(&m);
+        if (!MD_Init(&m)) {
+            EVP_MD_CTX_cleanup(&m);
+            return 0;
+        }
+
 #ifndef GETPID_IS_MEANINGLESS
         if (curr_pid) {         /* just in the first iteration to save time */
             MD_Update(&m, (unsigned char *)&curr_pid, sizeof curr_pid);
@@ -508,7 +516,10 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
         }
     }
 
-    MD_Init(&m);
+    if (!MD_Init(&m)) {
+        EVP_MD_CTX_cleanup(&m);
+        return 0;
+    }
     MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
     MD_Update(&m, local_md, MD_DIGEST_LENGTH);
     if (lock)
-- 
1.7.12.1