summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDoug Hogan <doug@cvs.openbsd.org>2015-03-15 22:52:18 +0000
committerDoug Hogan <doug@cvs.openbsd.org>2015-03-15 22:52:18 +0000
commit87e058eaab52290c6c442f5283f4abf1b9dfdf3a (patch)
tree10d5f4a228a7b8a4377db727c178c0fb9007b654 /lib
parent30f2a2a75f770ae5083039c295c7497b73301af9 (diff)
Avoid a NULL pointer deref when X509_get_pubkey() returns NULL.
A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls X509_PUBKEY_set() with pktmp. OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public details yet to confirm. Either way, we should fix this. Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9 and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728. "looks sane" beck@ ok miod@, bcook@
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/src/crypto/x509/x509_req.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libssl/src/crypto/x509/x509_req.c b/lib/libssl/src/crypto/x509/x509_req.c
index 452ce0a5124..8813f372cce 100644
--- a/lib/libssl/src/crypto/x509/x509_req.c
+++ b/lib/libssl/src/crypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */
+/* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
goto err;
- pktmp = X509_get_pubkey(x);
+ if ((pktmp = X509_get_pubkey(x)) == NULL)
+ goto err;
+
i = X509_REQ_set_pubkey(ret, pktmp);
EVP_PKEY_free(pktmp);
if (!i)