Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

potential null-deref bug in openssl.c #12099

icy17 opened this issue Oct 12, 2023 · 2 comments

potential null-deref bug in openssl.c #12099

icy17 opened this issue Oct 12, 2023 · 2 comments


Copy link

icy17 commented Oct 12, 2023

I did this

There is a potential null-dereference when calling BN_num_bits. Calling this API with a NULL pointer cause NULL-dereference.

I expected the following

It's better to check if n is NULL before calling this API.

curl/libcurl version


operating system


@bagder bagder added the TLS label Oct 12, 2023
Copy link

bagder commented Oct 12, 2023

You mean something like this?

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 9f9c8d136..6be86f871 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -536,13 +536,13 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl)
           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
           RSA_get0_key(rsa, &n, &e, NULL);
-          BIO_printf(mem, "%d", BN_num_bits(n));
+          BIO_printf(mem, "%d", n ? BN_num_bits(n) : 0);
-          BIO_printf(mem, "%d", BN_num_bits(rsa->n));
+          BIO_printf(mem, "%d", rsa->n ? BN_num_bits(rsa->n) : 0);
 #endif /* HAVE_OPAQUE_RSA_DSA_DH */
           push_certinfo("RSA Public Key", i);
           print_pubkey_BN(rsa, n, i);
           print_pubkey_BN(rsa, e, i);

bagder added a commit that referenced this issue Oct 12, 2023
Reported-by: icy17 on github
Fixes #12099
Copy link

icy17 commented Oct 12, 2023

Yes, you're correct!

@bagder bagder closed this as completed in b9f832e Oct 13, 2023
zuoxiaofeng pushed a commit to zuoxiaofeng/curl that referenced this issue Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Successfully merging a pull request may close this issue.

2 participants