diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2020-06-05 00:30:00 +0200 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-12-21 15:25:59 +0100 |
commit | c4b2c53fadb158bee34aef90d5a7d500aead1f70 (patch) | |
tree | 3056daff3261143db74fa1aa3cde12c68a296c24 | |
parent | 7a7ed5fc7978309c997804e174914a037777d786 (diff) |
Fix NULL pointer access caused by X509_ATTRIBUTE_create()
When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on. This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.
This bug was found while working on LibreSSL documentation.
Reviewed-by: Theo Buehler <tb@openbsd.org>
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12052)
-rw-r--r-- | crypto/x509/x_attrib.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/crypto/x509/x_attrib.c b/crypto/x509/x_attrib.c index 5c5e608173..5c7e622d1a 100644 --- a/crypto/x509/x_attrib.c +++ b/crypto/x509/x_attrib.c @@ -37,10 +37,13 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value) { X509_ATTRIBUTE *ret = NULL; ASN1_TYPE *val = NULL; + ASN1_OBJECT *oid; + if ((oid = OBJ_nid2obj(nid)) == NULL) + return NULL; if ((ret = X509_ATTRIBUTE_new()) == NULL) return NULL; - ret->object = OBJ_nid2obj(nid); + ret->object = oid; if ((val = ASN1_TYPE_new()) == NULL) goto err; if (!sk_ASN1_TYPE_push(ret->set, val)) |