diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-01-02 13:05:08 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-02-08 16:33:29 +0100 |
commit | 69b995c6fbc38163d69573803b7aa38ca64b074a (patch) | |
tree | 5e796a53ff427b705e1af6332aa40a8c16f1722b /crypto/cms | |
parent | b1ce6a23f8f61cc2f2f48368a97493498c026aa7 (diff) |
CMS_decrypt_set1_*(): fix NULL deref on unsuitable content type
Fixes #19975
for CMS_decrypt_set1_pkey_and_peer() in the obvious way,
and a related potential crash in CMS_decrypt_set1_password().
The point is that the input might have an unexpected content type,
so a guard is needed at both places after `ec` is obtained.
Note that in CMS_decrypt_set1_pkey_and_peer() there was
no such ec != NULL guard for
```
if (ris != NULL)
debug = ec->debug;
```
maybe because it is implied here by ris != NULL.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19981)
Diffstat (limited to 'crypto/cms')
-rw-r--r-- | crypto/cms/cms_smime.c | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 69a35f74cb..cf12c5b785 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -710,11 +710,13 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ - OPENSSL_clear_free(ec->key, ec->keylen); - ec->key = NULL; - ec->keylen = 0; + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } - if (ris != NULL) + if (ris != NULL && ec != NULL) debug = ec->debug; cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk); @@ -828,9 +830,11 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms, CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms); /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */ - OPENSSL_clear_free(ec->key, ec->keylen); - ec->key = NULL; - ec->keylen = 0; + if (ec != NULL) { + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + } for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { ri = sk_CMS_RecipientInfo_value(ris, i); |