From: easonysliu Date: Wed, 18 Mar 2026 08:22:24 +0000 (+0800) Subject: conf: guard NULL group in NCONF_get_string() error path X-Git-Tag: openssl-4.0.0~108 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d97f023307d95aa9d04d50576a206fde7d55c1a;p=thirdparty%2Fopenssl.git conf: guard NULL group in NCONF_get_string() error path NCONF_get_string() passes the group parameter directly to ERR_raise_data() with a %s format specifier. The CONF API explicitly allows group to be NULL (meaning "default section"), and multiple internal callers use this, such as conf_diagnostics() and CONF_modules_load(). When the lookup fails and the error path is reached, passing NULL to %s is undefined behavior per the C standard. On Linux/glibc it happens to print "(null)", but on platforms like Solaris 10 it crashes in strlen() inside vsnprintf(). This was exposed after commit #28305 replaced the custom _dopr() (which had an explicit NULL-to-"" guard in fmtstr()) with the platform's native vsnprintf(). Guard the NULL by using an empty string in the format argument. Fixes #30402 CLA: trivial Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz MergeDate: Tue Mar 24 17:39:02 2026 (Merged from https://github.com/openssl/openssl/pull/30484) (cherry picked from commit cd20f1af1cfe3ca0b733201654667582788eb014) --- diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c index 6efd95283e9..c148a43490a 100644 --- a/crypto/conf/conf_lib.c +++ b/crypto/conf/conf_lib.c @@ -314,7 +314,7 @@ char *NCONF_get_string(const CONF *conf, const char *group, const char *name) return NULL; } ERR_raise_data(ERR_LIB_CONF, CONF_R_NO_VALUE, - "group=%s name=%s", group, name); + "group=%s name=%s", group != NULL ? group : "", name); return NULL; }