BUG/MEDIUM: ssl: segfault when cipher is NULL

The patch which fixes the certificate selection uses
SSL_CIPHER_get_id() to skip the SCSV ciphers without checking if cipher
is NULL. This patch fixes the issue by skipping any NULL cipher in the
iteration.

Problem was reported in #2329.

Need to be backported where 23093c72f139eddfce68ea5580193ee131901591 was
backported. No release was made with this patch so the severity is
MEDIUM.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 0e83253464d170b53c8bb9158a788ac317c33d69..d025d6eaeee5c1eb9301269d41ec6ea50fc61366 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2506,13 +2506,16 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #else
                        cipher = SSL_CIPHER_find(ssl, cipher_suites);
 #endif
+                       if (!cipher)
+                               continue;
+
                        cipher_id = SSL_CIPHER_get_id(cipher);
                        /* skip the SCSV "fake" signaling ciphersuites because they are NID_auth_any (RFC 7507) */
                        if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)
                                continue;
 
-                       if (cipher && (   SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
-                                      || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any)) {
+                       if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
+                           || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any) {
                                has_ecdsa_sig = 1;
                                break;
                        }