]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b1ce6a2)
CMS_decrypt_set1_*(): fix NULL deref on unsuitable content type
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>
Mon, 2 Jan 2023 12:05:08 +0000 (13:05 +0100)
committerTomas Mraz <tomas@openssl.org>
Wed, 8 Feb 2023 15:33:29 +0000 (16:33 +0100)
Fixes #19975
for CMS_decrypt_set1_pkey_and_peer() in the obvious way,
and a related potential crash in CMS_decrypt_set1_password().

The point is that the input might have an unexpected content type,
so a guard is needed at both places after `ec` is obtained.

Note that in CMS_decrypt_set1_pkey_and_peer() there was
no such ec != NULL guard for
```
    if (ris != NULL)
        debug = ec->debug;
```
maybe because it is implied here by ris != NULL.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19981)

crypto/cms/cms_smime.c patch | blob | blame | history

diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index 69a35f74cb0fedf5367255bb86891654724bc794..cf12c5b78580ea88e0aaa162716dad16e3d2a4d0 100644 (file)
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -710,11 +710,13 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
     CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
 
     /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */
-    OPENSSL_clear_free(ec->key, ec->keylen);
-    ec->key = NULL;
-    ec->keylen = 0;
+    if (ec != NULL) {
+        OPENSSL_clear_free(ec->key, ec->keylen);
+        ec->key = NULL;
+        ec->keylen = 0;
+    }
 
-    if (ris != NULL)
+    if (ris != NULL && ec != NULL)
         debug = ec->debug;
 
     cms_pkey_ri_type = ossl_cms_pkey_get_ri_type(pk);
@@ -828,9 +830,11 @@ int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
     CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
 
     /* Prevent mem leak on earlier CMS_decrypt_set1_{pkey_and_peer,password} */
-    OPENSSL_clear_free(ec->key, ec->keylen);
-    ec->key = NULL;
-    ec->keylen = 0;
+    if (ec != NULL) {
+        OPENSSL_clear_free(ec->key, ec->keylen);
+        ec->key = NULL;
+        ec->keylen = 0;
+    }
 
     for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
         ri = sk_CMS_RecipientInfo_value(ris, i);
A mirror of the official openssl repository