From: Zhou Qingyang <zhou1615@umn.edu>
Date: Mon, 11 Apr 2022 16:25:26 +0000 (+0800)
Subject: Fix wild pointer dereference in make_ocsp_response()
X-Git-Tag: openssl-3.2.0-alpha1~2753
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d50a5467b0a208c61d163239a3544bae06343ea;p=thirdparty%2Fopenssl.git

Fix wild pointer dereference in make_ocsp_response()

The function OCSP_basic_add1_status() will return NULL on malloc failure.
However the return value is not checked before being passed to
OCSP_SINGLERESP_add1_ext_i2d(), and there is a wild field pointer,
which could lead to wild pointer dereference.

Fix this by adding return value check

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18081)
---

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 51f2b37f479..a2f974cf7ba 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1119,6 +1119,11 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
             single = OCSP_basic_add1_status(bs, cid,
                                             V_OCSP_CERTSTATUS_REVOKED,
                                             reason, revtm, thisupd, nextupd);
+            if (single == NULL) {
+                *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+                                             NULL);
+                goto end;
+            }
             if (invtm != NULL)
                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
                                              invtm, 0, 0);