conf: guard NULL group in NCONF_get_string() error path

NCONF_get_string() passes the group parameter directly to
ERR_raise_data() with a %s format specifier.  The CONF API
explicitly allows group to be NULL (meaning "default section"),
and multiple internal callers use this, such as conf_diagnostics()
and CONF_modules_load().

When the lookup fails and the error path is reached, passing NULL
to %s is undefined behavior per the C standard.  On Linux/glibc
it happens to print "(null)", but on platforms like Solaris 10 it
crashes in strlen() inside vsnprintf().

This was exposed after commit #28305 replaced the custom _dopr()
(which had an explicit NULL-to-"<NULL>" guard in fmtstr()) with
the platform's native vsnprintf().

Guard the NULL by using an empty string in the format argument.

Fixes #30402

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Tue Mar 24 17:39:02 2026
(Merged from https://github.com/openssl/openssl/pull/30484)

(cherry picked from commit cd20f1af1cfe3ca0b733201654667582788eb014)

diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c
index 6efd95283e9ed9e22869c8e7c4c8637d8584adde..c148a43490a5606159b8eec760035e6dd8b20b73 100644 (file)
--- a/crypto/conf/conf_lib.c
+++ b/crypto/conf/conf_lib.c
@@ -314,7 +314,7 @@ char *NCONF_get_string(const CONF *conf, const char *group, const char *name)
         return NULL;
     }
     ERR_raise_data(ERR_LIB_CONF, CONF_R_NO_VALUE,
-        "group=%s name=%s", group, name);
+        "group=%s name=%s", group != NULL ? group : "", name);
     return NULL;
 }