tls_process_cert_status_body(): Reject invalid cert status

When a CertStatus message is received and the length of the
OCSP response is zero error out.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29207)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5639048a8e6be36c0fea20d2874d47e03dea25ec..d8d6ad48ee97b9851afa14e5e239093742331104 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2942,29 +2942,30 @@ int tls_process_cert_status_body(SSL_CONNECTION *s, size_t chainidx, PACKET *pkt
             return 0;
         }
 
-        if (resplen > 0) {
-            respder = OPENSSL_malloc(resplen);
+        if (resplen == 0) {
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
+            return 0;
+        }
 
-            if (respder == NULL) {
-                SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
-                return 0;
-            }
+        if ((respder = OPENSSL_malloc(resplen)) == NULL) {
+            SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
+            return 0;
+        }
 
-            if (!PACKET_copy_bytes(pkt, respder, resplen)) {
-                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
-                OPENSSL_free(respder);
-                return 0;
-            }
-            p = respder;
-            resp = d2i_OCSP_RESPONSE(NULL, &p, (long)resplen);
+        if (!PACKET_copy_bytes(pkt, respder, resplen)) {
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
             OPENSSL_free(respder);
-            if (resp == NULL) {
-                SSLfatal(s, TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
-                         SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE);
-                return 0;
-            }
-            sk_OCSP_RESPONSE_insert(s->ext.ocsp.resp_ex, resp, (int)chainidx);
+            return 0;
+        }
+        p = respder;
+        resp = d2i_OCSP_RESPONSE(NULL, &p, (long)resplen);
+        OPENSSL_free(respder);
+        if (resp == NULL) {
+            SSLfatal(s, TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
+                     SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE);
+            return 0;
         }
+        sk_OCSP_RESPONSE_insert(s->ext.ocsp.resp_ex, resp, (int)chainidx);
     }
 
 #endif