Fix crash in X509_STORE_CTX_get_by_subject

If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.

Fixes #8673

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)

(cherry picked from commit b926f9deb3dc79d00f0a989370e95867516a3a17)

diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index be39015b0d0126ae1c7a39420770741b9285a8d5..eaf6a8e2f293de1f48e61ba8b6a9122b804c8677 100644 (file)
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
     if (ctx == NULL)
         return 0;
 
+    stmp.type = X509_LU_NONE;
+    stmp.data.ptr = NULL;
+
     CRYPTO_THREAD_write_lock(ctx->lock);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
     CRYPTO_THREAD_unlock(ctx->lock);