From: Anton Moryakov Date: Wed, 29 Oct 2025 18:21:39 +0000 (+0300) Subject: apps: ocsp.c: fix null dereference in ocsp_response X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e2e7c60d33727f7818c6c0e915b02fe11be1188;p=thirdparty%2Fopenssl.git apps: ocsp.c: fix null dereference in ocsp_response Report of the static analyzer: Function 'OCSP_cert_to_id' may return NULL on allocation failure, but its return value is dereferenced in 'OCSP_id_issuer_cmp' without prior NULL check at ocsp.c:1088. This can lead to a null pointer dereference and cause a segmentation fault, resulting in a denial-of-service (DoS) condition. Although such failures are rare, an attacker could potentially trigger them under memory pressure. All other calls to 'OCSP_cert_to_id' in the codebase (e.g., add_ocsp_cert, add_ocsp_serial) properly check for NULL, making this instance a clear omission. Correct explained: Added a NULL check after calling OCSP_cert_to_id() when creating 'ca_id' inside the issuer lookup loop. If the allocation fails, the function now safely returns an internal error response instead of risking a crash. This change aligns the code with existing error-handling patterns in the same file and improves robustness against resource exhaustion attacks. Signed-off-by: Anton Moryakov Reviewed-by: Dmitry Belyavskiy Reviewed-by: Frederik Wedel-Heinen Reviewed-by: Tomas Mraz MergeDate: Thu Jan 8 09:01:09 2026 (Merged from https://github.com/openssl/openssl/pull/29033) --- diff --git a/apps/ocsp.c b/apps/ocsp.c index b86d14f56c1..084eb86b2a4 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1134,6 +1134,12 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req X509 *ca_cert = sk_X509_value(ca, jj); OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert); + if (ca_id == NULL) { + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, + NULL); + goto end; + } + if (OCSP_id_issuer_cmp(ca_id, cid) == 0) { found = 1; if (resp_md != NULL)