From 137b8d492653bc648f60b9636e4a04ea9585df81 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 31 Aug 2022 06:51:36 +0000 Subject: [PATCH] Avoid potential NULL dereference in ssl_set_pkey() Switch from X509_get_pubkey() to X509_get0_pubkey() to avoid an unnecessary EVP_PKEY_free(). Check the return values of X509_get0_pubkey() and EVP_PKEY_copy_parameters(). If the former returns NULL, the latter will dereference NULL. CID 25020 ok jsing --- lib/libssl/ssl_rsa.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/libssl/ssl_rsa.c b/lib/libssl/ssl_rsa.c index 192dc4291e6..98c1e1b7b38 100644 --- a/lib/libssl/ssl_rsa.c +++ b/lib/libssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.45 2022/06/30 09:08:35 tb Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.46 2022/08/31 06:51:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -184,9 +184,13 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey) if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(c->pkeys[i].x509); - EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); + + if ((pktmp = X509_get0_pubkey(c->pkeys[i].x509)) == NULL) + return 0; + + if (!EVP_PKEY_copy_parameters(pktmp, pkey)) + return 0; + ERR_clear_error(); /* @@ -209,7 +213,7 @@ ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey) c->key = &(c->pkeys[i]); c->valid = 0; - return (1); + return 1; } int -- 2.20.1