diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2015-03-15 22:52:18 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2015-03-15 22:52:18 +0000 |
| commit | 87e058eaab52290c6c442f5283f4abf1b9dfdf3a (patch) | |
| tree | 10d5f4a228a7b8a4377db727c178c0fb9007b654 | |
| parent | 30f2a2a75f770ae5083039c295c7497b73301af9 (diff) | |
Avoid a NULL pointer deref when X509_get_pubkey() returns NULL.
A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls
X509_PUBKEY_set() with pktmp.
OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public
details yet to confirm. Either way, we should fix this.
Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9
and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728.
"looks sane" beck@
ok miod@, bcook@
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_req.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libssl/src/crypto/x509/x509_req.c b/lib/libssl/src/crypto/x509/x509_req.c index 452ce0a5124..8813f372cce 100644 --- a/lib/libssl/src/crypto/x509/x509_req.c +++ b/lib/libssl/src/crypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */ +/* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) goto err; - pktmp = X509_get_pubkey(x); + if ((pktmp = X509_get_pubkey(x)) == NULL) + goto err; + i = X509_REQ_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i) |