Skip to content

Add missing NULL check in openssl #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
icy17 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add missing NULL check in openssl #530

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions crypto/openssl/crypto/cms/cms_smime.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ static BIO *cms_get_text_bio(BIO *out, unsigned int flags)
rbio = BIO_new(BIO_s_null());
else if (flags & CMS_TEXT) {
rbio = BIO_new(BIO_s_mem());
if (rbio == NULL)
return NULL;
BIO_set_mem_eof_return(rbio, 0);
} else
rbio = out;
Expand Down
12 changes: 12 additions & 0 deletions crypto/openssl/demos/bio/sconnect.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,27 @@ int main(int argc, char *argv[])

/* Let's make an SSL structure */
ssl = SSL_new(ssl_ctx);
if (ssl == NULL)
goto err;

SSL_set_connect_state(ssl);


/* Use it inside an SSL BIO */
ssl_bio = BIO_new(BIO_f_ssl());
if (ssl_bio == NULL)
goto err;

BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE);

/* Lets use a connect BIO under the SSL BIO */
out = BIO_new(BIO_s_connect());
if (out == NULL)
{
BIO_free(ssl_bio);
goto err;
}

BIO_set_conn_hostname(out, hostport);

/* The BIO has parsed the host:port and even IPv6 literals in [] */
Expand Down
10 changes: 10 additions & 0 deletions crypto/openssl/fuzz/cmp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,10 +176,20 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;

in = BIO_new(BIO_s_mem());
if (in == NULL)
return 0;

OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
if (msg != NULL) {
BIO *out = BIO_new(BIO_s_null());

if (out == NULL) {
OSSL_CMP_MSG_free(msg);
BIO_free(in);
return 0;
}

OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);

Expand Down
9 changes: 9 additions & 0 deletions crypto/openssl/fuzz/cms.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,20 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
return 0;

in = BIO_new(BIO_s_mem());
if (in == NULL)
return 0;

OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
cms = d2i_CMS_bio(in, NULL);
if (cms != NULL) {
BIO *out = BIO_new(BIO_s_null());

if (out == NULL) {
CMS_ContentInfo_free(cms);
BIO_free(in);
return 0;
}

i2d_CMS_bio(out, cms);
BIO_free(out);
CMS_ContentInfo_free(cms);
Expand Down
3 changes: 3 additions & 0 deletions crypto/openssl/fuzz/conf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)

conf = NCONF_new(NULL);
in = BIO_new(BIO_s_mem());
if (in == NULL)
return 0;

OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
NCONF_load_bio(conf, in, &eline);
NCONF_free(conf);
Expand Down
7 changes: 5 additions & 2 deletions crypto/openssl/fuzz/crl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,11 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_CRL *crl = d2i_X509_CRL(NULL, &p, len);
if (crl != NULL) {
BIO *bio = BIO_new(BIO_s_null());
X509_CRL_print(bio, crl);
BIO_free(bio);

if (bio != NULL) {
X509_CRL_print(bio, crl);
BIO_free(bio);
}
Comment on lines -32 to +36
Copy link
Copy Markdown

@reactive-firewall reactive-firewall Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't valid ASN1 encode NULL values in CRL (as already checked for on line 30) meaning in the case bio == NULL we actually want to 'CRL_print' an odd but valid NULL representation (like \0 for echo -e) ... I'd expect the crl ASN1 length to be more indicative of whether there is a "NULL" value here or and odd but valid value, especially after the crl passed the check of != NULL indicating at-least a tag and length are present to parse (even if e.g., T<crl>:0:<NULL> the NULL content should not be considered part of the CRL value as the length is 0) thus I'd expect a zero-length check before a null-value check. Am I just missing something? If so, what am I missing here?

Copy link
Copy Markdown
Collaborator

@mszoek mszoek Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although it's technically legal to encode a NULL, why would a NULL make sense in a certificate revocation list? It doesn't mean anything since it doesn't name any revoked certificates. I think handling this as an error in the CRL is OK.


i2d_X509_CRL(crl, &der);
OPENSSL_free(der);
Expand Down
6 changes: 6 additions & 0 deletions crypto/openssl/fuzz/server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -569,6 +569,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
# ifndef OPENSSL_NO_DEPRECATED_3_0
/* ECDSA */
bio_buf = BIO_new(BIO_s_mem());
OPENSSL_assert(bio_buf != NULL);
OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)) == sizeof(ECDSAPrivateKeyPEM));
ecdsakey = PEM_read_bio_ECPrivateKey(bio_buf, NULL, NULL, NULL);
ERR_print_errors_fp(stderr);
Expand All @@ -581,6 +582,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
EVP_PKEY_free(pkey);
# endif
bio_buf = BIO_new(BIO_s_mem());
OPENSSL_assert(bio_buf != NULL);
OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSACertPEM, sizeof(ECDSACertPEM)) == sizeof(ECDSACertPEM));
cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
OPENSSL_assert(cert != NULL);
Expand All @@ -593,6 +595,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
/* DSA */
bio_buf = BIO_new(BIO_s_mem());
OPENSSL_assert(bio_buf != NULL);
OPENSSL_assert((size_t)BIO_write(bio_buf, DSAPrivateKeyPEM, sizeof(DSAPrivateKeyPEM)) == sizeof(DSAPrivateKeyPEM));
dsakey = PEM_read_bio_DSAPrivateKey(bio_buf, NULL, NULL, NULL);
ERR_print_errors_fp(stderr);
Expand All @@ -605,6 +608,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
EVP_PKEY_free(pkey);

bio_buf = BIO_new(BIO_s_mem());
OPENSSL_assert(bio_buf != NULL);
OPENSSL_assert((size_t)BIO_write(bio_buf, DSACertPEM, sizeof(DSACertPEM)) == sizeof(DSACertPEM));
cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);
OPENSSL_assert(cert != NULL);
Expand All @@ -616,7 +620,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)

server = SSL_new(ctx);
in = BIO_new(BIO_s_mem());
OPENSSL_assert(in != NULL);
out = BIO_new(BIO_s_mem());
OPENSSL_assert(out != NULL);
SSL_set_bio(server, in, out);
SSL_set_accept_state(server);

Expand Down
3 changes: 3 additions & 0 deletions crypto/openssl/test/sslapitest.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1391,6 +1391,9 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher,
BIO_free(out);
out = NULL;
in = BIO_new_file(tmpfilename, "rb");
if (!TEST_ptr(in))
goto end;

BIO_get_fp(in, &ffdp);
ffd = fileno(ffdp);

Expand Down