fix BIO_vsnprintf() with NULL string arg crash on Solaris 10

Issue was kindly reported and fixes suggested by @rainerjung

Fixes #30402

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr 10 12:22:44 2026
(Merged from https://github.com/openssl/openssl/pull/30596)

diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 1dee097d55b7d5d7254faf7ef7cd105f62474592..87f7241547e65443a8feee1dc2b8f3c4abbd1992 100644 (file)
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -374,7 +374,10 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
             BIO_puts(out, ":");
         nid = groups[i];
         const char *name = SSL_group_to_name(s, nid);
-        BIO_puts(out, ((name != NULL) ? name : "(null)"));
+        if (name == NULL)
+            BIO_printf(out, "%d", nid);
+        else
+            BIO_puts(out, name);
     }
     OPENSSL_free(groups);
     if (noshared) {
@@ -388,7 +391,10 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
             BIO_puts(out, ":");
         nid = SSL_get_shared_group(s, i);
         const char *name = SSL_group_to_name(s, nid);
-        BIO_puts(out, ((name != NULL) ? name : "(null)"));
+        if (name == NULL)
+            BIO_printf(out, "%d", nid);
+        else
+            BIO_puts(out, name);
     }
     if (ngroups == 0)
         BIO_puts(out, "NONE");
@@ -403,9 +409,15 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
     EVP_PKEY *key;
 
     if (!SSL_get_peer_tmp_key(s, &key)) {
-        if (SSL_version(s) == TLS1_3_VERSION)
-            BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
-                SSL_group_to_name(s, SSL_get_negotiated_group(s)));
+        if (SSL_version(s) == TLS1_3_VERSION) {
+            int nid = SSL_get_negotiated_group(s);
+            const char *name = SSL_group_to_name(s, nid);
+
+            if (name == NULL)
+                BIO_printf(out, "Negotiated TLS1.3 group: %d\n", nid);
+            else
+                BIO_printf(out, "Negotiated TLS1.3 group: %s\n", name);
+        }
         return 1;
     }
 

diff --git a/apps/s_client.c b/apps/s_client.c
index 592e3da79f6031d2cec657be428e5da7e37dd7bf..9acdabf3f6b9cbeedf1aa12bcb026e3d7a8eec9e 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3975,8 +3975,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     estat = SSL_ech_get1_status(s, &inner, &outer);
     print_ech_status(bio, s, estat);
     if (estat == SSL_ECH_STATUS_SUCCESS) {
-        BIO_printf(bio, "ECH: inner: %s\n", inner);
-        BIO_printf(bio, "ECH: outer: %s\n", outer);
+        BIO_printf(bio, "ECH: inner: %s\n", inner == NULL ? "<NULL>" : inner);
+        BIO_printf(bio, "ECH: outer: %s\n", outer == NULL ? "<NULL>" : outer);
     }
     if (estat == SSL_ECH_STATUS_FAILED_ECH
         || estat == SSL_ECH_STATUS_FAILED_ECH_BAD_NAME)

diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
index 963d9dad79b0f14fa23cb81627b6b1630f446e60..22b6513e176cf302e3cb778a17dbd3a7beaef0bf 100644 (file)
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -57,12 +57,18 @@ static const BIO_METHOD methods_filep = {
 BIO *BIO_new_file(const char *filename, const char *mode)
 {
     BIO *ret;
-    FILE *file = openssl_fopen(filename, mode);
+    FILE *file;
     int fp_flags = BIO_CLOSE;
 
     if (strchr(mode, 'b') == NULL)
         fp_flags |= BIO_FP_TEXT;
 
+    if (filename == NULL) {
+        ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER, __func__);
+        return NULL;
+    }
+
+    file = openssl_fopen(filename, mode);
     if (file == NULL) {
         ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),
             "calling fopen(%s, %s)",
@@ -310,6 +316,11 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
         if (!(num & BIO_FP_TEXT))
             OPENSSL_strlcat(p, "b", sizeof(p));
 #endif
+        if (ptr == NULL) {
+            ERR_raise_data(ERR_LIB_CRYPTO, ERR_R_PASSED_NULL_PARAMETER, __func__);
+            ret = 0;
+            break;
+        }
         fp = openssl_fopen(ptr, p);
         if (fp == NULL) {
             ERR_raise_data(ERR_LIB_SYS, get_last_sys_error(),

diff --git a/test/testutil/format_output.c b/test/testutil/format_output.c
index 842a4543bfb9ca8e0377c8922796e9ba5a8d8843..5bb530298939d2380c6df060de8b419217ccb314 100644 (file)
--- a/test/testutil/format_output.c
+++ b/test/testutil/format_output.c
@@ -385,7 +385,8 @@ void test_fail_bignum_mono_message(const char *prefix, const char *file,
 void test_output_bignum(const char *name, const BIGNUM *bn)
 {
     if (bn == NULL || BN_is_zero(bn)) {
-        test_printf_stderr("bignum: '%s' = %s\n", name,
+        test_printf_stderr("bignum: '%s' = %s\n",
+            name == NULL ? "<NULL>" : name,
             test_bignum_zero_null(bn));
     } else if (BN_num_bytes(bn) <= BN_OUTPUT_SIZE) {
         unsigned char buf[BN_OUTPUT_SIZE];
@@ -396,7 +397,8 @@ void test_output_bignum(const char *name, const BIGNUM *bn)
         hex_convert_memory(buf, n, p, BN_OUTPUT_SIZE);
         while (*p == '0' && *++p != '\0')
             ;
-        test_printf_stderr("bignum: '%s' = %s0x%s\n", name,
+        test_printf_stderr("bignum: '%s' = %s0x%s\n",
+            name == NULL ? "<NULL>" : name,
             BN_is_negative(bn) ? "-" : "", p);
     } else {
         test_fail_bignum_common("bignum", NULL, 0, NULL, NULL, NULL, name,