Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

diff --git a/lib/libssl/bs_cbs.c b/lib/libssl/bs_cbs.c
index fc2eaff..0237f73 100644 (file)
--- a/lib/libssl/bs_cbs.c
+++ b/lib/libssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */
+/*     $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
 
                if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
                        /* indefinite length */
-                       *out_header_len = 2;
+                       if (out_header_len != NULL)
+                               *out_header_len = 2;
                        return CBS_get_bytes(cbs, out, 2);
                }
 

diff --git a/lib/libssl/src/ssl/bs_cbs.c b/lib/libssl/src/ssl/bs_cbs.c
index fc2eaff..0237f73 100644 (file)
--- a/lib/libssl/src/ssl/bs_cbs.c
+++ b/lib/libssl/src/ssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */
+/*     $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
 
                if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
                        /* indefinite length */
-                       *out_header_len = 2;
+                       if (out_header_len != NULL)
+                               *out_header_len = 2;
                        return CBS_get_bytes(cbs, out, 2);
                }