Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
This is the 4th of 4 bugs in the tls_verify_crl() function. The code fails to take into account an empty CRL, for which sk_X509_REVOKED_value() returned NULL in my tests. It proceeds to dereferencing the NULL pointer, crashing the application.
My patch is as follows:
Both of the other code bases which I noticed were getting the issuer CRL lookup right (second bug, issue #859) fail to check the return value against NULL as well:
FWIW, 4 years ago, stunnel got rid of custom CRL handling code and started relying on OpenSSL's built-in handling instead. That was between 5.23 and 5.24, compare src/verify.c from https://www.usenix.org.uk/mirrors/stunnel/archive/5.x/stunnel-5.23.tar.gz and https://www.usenix.org.uk/mirrors/stunnel/archive/5.x/stunnel-5.24.tar.gz .
I hit this crash in the summer of 2018, after fixing the first crash (issue #858) when dealing with TLS CRLs using CentOS 7's ProFTPD 1.3.5e package against OpenSSL 1.0.2*.