-
-
Notifications
You must be signed in to change notification settings - Fork 10k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Null Ptr Deref in CMS_decrypt_set1_pkey_and_peer #19975
Labels
branch: master
Merge to master branch
severity: important
Important bugs affecting a released version
triaged: bug
The issue/pr is/fixes a bug
Comments
@DDvO might want to take a look |
DDvO
added a commit
to siemens/openssl
that referenced
this issue
Jan 2, 2023
DDvO
added a commit
to siemens/openssl
that referenced
this issue
Jan 2, 2023
Fixes openssl#19975 for CMS_decrypt_set1_pkey_and_peer() in the obvious way, and a related potential crash in CMS_decrypt_set1_password(). The point is that the input might have an unexpected content type, so a guard is needed at both places after `ec` is obtained. Note that in CMS_decrypt_set1_pkey_and_peer() there was no such ec != NULL guard for ``` if (ris != NULL) debug = ec->debug; ``` maybe because it is implied here by ris != NULL.
DDvO
added a commit
to siemens/openssl
that referenced
this issue
Jan 2, 2023
Fixes openssl#19975 for CMS_decrypt_set1_pkey_and_peer() in the obvious way, and a related potential crash in CMS_decrypt_set1_password(). The point is that the input might have an unexpected content type, so a guard is needed at both places after `ec` is obtained. Note that in CMS_decrypt_set1_pkey_and_peer() there was no such ec != NULL guard for ``` if (ris != NULL) debug = ec->debug; ``` maybe because it is implied here by ris != NULL.
DDvO
added a commit
to siemens/openssl
that referenced
this issue
Feb 3, 2023
Fixes openssl#19975 for CMS_decrypt_set1_pkey_and_peer() in the obvious way, and a related potential crash in CMS_decrypt_set1_password(). The point is that the input might have an unexpected content type, so a guard is needed at both places after `ec` is obtained. Note that in CMS_decrypt_set1_pkey_and_peer() there was no such ec != NULL guard for ``` if (ris != NULL) debug = ec->debug; ``` maybe because it is implied here by ris != NULL.
openssl-machine
pushed a commit
that referenced
this issue
Feb 24, 2023
Fixes #19975 for CMS_decrypt_set1_pkey_and_peer() in the obvious way, and a related potential crash in CMS_decrypt_set1_password(). The point is that the input might have an unexpected content type, so a guard is needed at both places after `ec` is obtained. Note that in CMS_decrypt_set1_pkey_and_peer() there was no such ec != NULL guard for ``` if (ris != NULL) debug = ec->debug; ``` maybe because it is implied here by ris != NULL. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from #20209)
openssl-machine
pushed a commit
that referenced
this issue
Feb 24, 2023
Fixes #19975 for CMS_decrypt_set1_pkey_and_peer() in the obvious way, and a related potential crash in CMS_decrypt_set1_password(). The point is that the input might have an unexpected content type, so a guard is needed at both places after `ec` is obtained. Note that in CMS_decrypt_set1_pkey_and_peer() there was no such ec != NULL guard for ``` if (ris != NULL) debug = ec->debug; ``` maybe because it is implied here by ris != NULL. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from #20209) (cherry picked from commit ceb767b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
branch: master
Merge to master branch
severity: important
Important bugs affecting a released version
triaged: bug
The issue/pr is/fixes a bug
We found a null pointer deref during the decryption of a CMS encrypted message that seems to exist only in master.
When the private key is modified (see below), the call to ossl_cms_get0_env_enc_content in CMS_decrypt_set1_pkey_and_peer returns a null pointer (crypto/cms/cms_smime.c#L710). This null pointer is dereferenced and used in the subsequent call to OPENSSL_clear_free. We did not investigate whether there are other circumstances under which ossl_cms_get0_env_enc_content (crypto/cms/cms_env.c:141) may return null. The bug was introduced about a month ago with a fix of a memory leak (25dd780).
How to reproduce:
This shows
The fix should be straight forward. Similar mem-leaks were merged as part of #19222 and may need similar checks.
Found during fuzzing.
The text was updated successfully, but these errors were encountered: