From: Ingo Schwarze <schwarze@openbsd.org>
Date: Thu, 4 Jun 2020 22:30:00 +0000 (+0200)
Subject: Fix NULL pointer access caused by X509_ATTRIBUTE_create()
X-Git-Tag: OpenSSL_1_1_1j~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F13724%2Fhead;p=thirdparty%2Fopenssl.git

Fix NULL pointer access caused by X509_ATTRIBUTE_create()

When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.

This bug was found while working on LibreSSL documentation.

Reviewed-by: Theo Buehler <tb@openbsd.org>

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12052)

(cherry picked from commit c4b2c53fadb158bee34aef90d5a7d500aead1f70)
---

diff --git a/crypto/x509/x_attrib.c b/crypto/x509/x_attrib.c
index 813c5b01c3a..7342c4f6bcb 100644
--- a/crypto/x509/x_attrib.c
+++ b/crypto/x509/x_attrib.c
@@ -37,10 +37,13 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
 {
     X509_ATTRIBUTE *ret = NULL;
     ASN1_TYPE *val = NULL;
+    ASN1_OBJECT *oid;
 
+    if ((oid = OBJ_nid2obj(nid)) == NULL)
+        return NULL;
     if ((ret = X509_ATTRIBUTE_new()) == NULL)
         return NULL;
-    ret->object = OBJ_nid2obj(nid);
+    ret->object = oid;
     if ((val = ASN1_TYPE_new()) == NULL)
         goto err;
     if (!sk_ASN1_TYPE_push(ret->set, val))