potential null-deref bug in openssl.c

[icy17]

I did this

There is a potential null-dereference when calling BN_num_bits. Calling this API with a NULL pointer cause NULL-dereference.

I expected the following

It's better to check if n is NULL before calling this API.

curl/libcurl version

master

operating system

ubuntu

[bagder]

You mean something like this?

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9f9c8d136..6be86f871 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -536,13 +536,13 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl)
           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
 #else
           RSA_get0_key(rsa, &n, &e, NULL);
 #endif /* HAVE_EVP_PKEY_GET_PARAMS */
-          BIO_printf(mem, "%d", BN_num_bits(n));
+          BIO_printf(mem, "%d", n ? BN_num_bits(n) : 0);
 #else
-          BIO_printf(mem, "%d", BN_num_bits(rsa->n));
+          BIO_printf(mem, "%d", rsa->n ? BN_num_bits(rsa->n) : 0);
 #endif /* HAVE_OPAQUE_RSA_DSA_DH */
           push_certinfo("RSA Public Key", i);
           print_pubkey_BN(rsa, n, i);
           print_pubkey_BN(rsa, e, i);
           FREE_PKEY_PARAM_BIGNUM(n);

[icy17]

Yes, you're correct!