diff options
| author |   doug <doug@openbsd.org> | 2015-03-15 22:52:17 +0000 |
|---|---|---|
| committer | doug <doug@openbsd.org> | 2015-03-15 22:52:17 +0000 |
| commit | decd7047ef7ec22326fa6a959b7a9c3e318c47c9 (patch) | |
| tree | ae73d6e5d5586636bcc1576476eeecab451752a0 /lib/libssl/src | |
| parent | Prevent use after free. (diff) | |
| download | wireguard-openbsd-decd7047ef7ec22326fa6a959b7a9c3e318c47c9.tar.xz wireguard-openbsd-decd7047ef7ec22326fa6a959b7a9c3e318c47c9.zip | |
Avoid a NULL pointer deref when X509_get_pubkey() returns NULL.
A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls
X509_PUBKEY_set() with pktmp.
OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public
details yet to confirm. Either way, we should fix this.
Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9
and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728.
"looks sane" beck@
ok miod@, bcook@
Diffstat (limited to 'lib/libssl/src')
| -rw-r--r-- | lib/libssl/src/crypto/x509/x509_req.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/libssl/src/crypto/x509/x509_req.c b/lib/libssl/src/crypto/x509/x509_req.c index 452ce0a5124..8813f372cce 100644 --- a/lib/libssl/src/crypto/x509/x509_req.c +++ b/lib/libssl/src/crypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */ +/* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) goto err; - pktmp = X509_get_pubkey(x); + if ((pktmp = X509_get_pubkey(x)) == NULL) + goto err; + i = X509_REQ_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i) |