From 327de270d583e716bc0282dd0d59e133f41d7ada Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 11 Mar 2015 17:01:38 +0000 Subject: [PATCH] SSL_check_chain fix If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY or the type of the public key is unrecognised then the local variable |cpk| in tls1_check_chain does not get initialised. Subsequently an attempt is made to deref it (after the "end" label), and a seg fault will result. Reviewed-by: Dr. Stephen Henson (cherry picked from commit d813f9eb383a93e472e69750cd1edbb170205ad2) --- ssl/t1_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 2c3a1ec4bc..6e991e0938 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -4126,10 +4126,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, # endif } else { if (!x || !pk) - goto end; + return 0; idx = ssl_cert_type(x, pk); if (idx == -1) - goto end; + return 0; cpk = c->pkeys + idx; if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT) check_flags = CERT_PKEY_STRICT_FLAGS; -- 2.25.1