Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential NULL pointer dereference #1067

Merged
merged 1 commit into from
Jun 22, 2023
Merged

Fix potential NULL pointer dereference #1067

merged 1 commit into from
Jun 22, 2023

Conversation

dkostic
Copy link
Contributor

@dkostic dkostic commented Jun 22, 2023

Issues:

Resolves V935691760

Description of changes:

Fix potential NULL pointer dereference in two places.

Call-outs:

Point out areas that need special attention or support during the review process. Discuss architecture or design changes.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

nebeid
nebeid reviewed Jun 22, 2023
View reviewed changes
crypto/x509/x509_req.c
@@ -185,6 +185,9 @@ int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
for (; lastpos < n; lastpos++) {
const X509_ATTRIBUTE *attr =
sk_X509_ATTRIBUTE_value(req->req_info->attributes, lastpos);
if (attr == NULL) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this can happen, since n was set the number of attributes, if I understood correctly. There is a similar code here

aws-lc/crypto/x509/t_req.c

Lines 153 to 155 in 8402a6e

for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i);
ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, I had the same thought but I'm not 100% certain it can't happen. The additional check is very cheap anyway, so no harm in having it.

crypto/x509/name_print.c
@@ -178,6 +178,10 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent,
} else {
Copy link
Contributor

@nebeid nebeid Jun 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the documentation of OBJ_obj2nid() called on l. 174,

aws-lc/include/openssl/obj.h

Lines 110 to 113 in cfce39d

// OBJ_obj2nid returns the nid corresponding to |obj|, or |NID_undef| if no
// such object is known.
OPENSSL_EXPORT int OBJ_obj2nid(const ASN1_OBJECT *obj);

the else branch should be for a known nid. If we prefer to be safe still, maybe the check for NULL would be inside the else branch.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's safer to have the NULL check right before calling strlen unconditionally?

@dkostic dkostic merged commit f49fc13 into aws:main Jun 22, 2023
@dkostic dkostic deleted the V935691760 branch June 22, 2023 16:46
@skmcgrail skmcgrail mentioned this pull request Jul 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebeid nebeid nebeid approved these changes

@torben-hansen torben-hansen torben-hansen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dkostic @torben-hansen @nebeid