From 874a9cdc392e63fbc0fb725a4b63acb245b75a6e Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 29 Apr 2015 01:27:34 +0000 Subject: [PATCH] Avoid NULL deref in CBS_get_any_asn1_element(). This function is documented as allowing NULL for out_header_len. ok jsing@ --- lib/libssl/bs_cbs.c | 5 +++-- lib/libssl/src/ssl/bs_cbs.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/libssl/bs_cbs.c b/lib/libssl/bs_cbs.c index fc2eafff0eb..0237f736819 100644 --- a/lib/libssl/bs_cbs.c +++ b/lib/libssl/bs_cbs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */ +/* $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) { /* indefinite length */ - *out_header_len = 2; + if (out_header_len != NULL) + *out_header_len = 2; return CBS_get_bytes(cbs, out, 2); } diff --git a/lib/libssl/src/ssl/bs_cbs.c b/lib/libssl/src/ssl/bs_cbs.c index fc2eafff0eb..0237f736819 100644 --- a/lib/libssl/src/ssl/bs_cbs.c +++ b/lib/libssl/src/ssl/bs_cbs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */ +/* $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) { /* indefinite length */ - *out_header_len = 2; + if (out_header_len != NULL) + *out_header_len = 2; return CBS_get_bytes(cbs, out, 2); } -- 2.20.1