From: Radek Krejci <radek.krejci@oracle.com>
Date: Thu, 21 Mar 2024 12:19:23 +0000 (+0100)
Subject: Avoid NULL pointer dereference
X-Git-Tag: openssl-3.0.15~61
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b548466d193c47102dec54a8ae6cfb06bb458059;p=thirdparty%2Fopenssl.git

Avoid NULL pointer dereference

Function readbuffer_gets() misses some of the initial checks of its
arguments. Not checking them can lead to a later NULL pointer
dereferences.

The checks are now unified with the checks in readbuffer_read()
function.

CLA: trivial
Fixes #23915

Signed-off-by: Radek Krejci <radek.krejci@oracle.com>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23918)

(cherry picked from commit c215d75f94fcaa598817e739221f33b71b53fb39)
---

diff --git a/crypto/bio/bf_readbuff.c b/crypto/bio/bf_readbuff.c
index 135ccef83bf..62490b9a2b3 100644
--- a/crypto/bio/bf_readbuff.c
+++ b/crypto/bio/bf_readbuff.c
@@ -222,10 +222,13 @@ static int readbuffer_gets(BIO *b, char *buf, int size)
     char *p;
     int i, j;
 
-    if (size == 0)
+    if (buf == NULL || size == 0)
         return 0;
     --size; /* the passed in size includes the terminator - so remove it here */
     ctx = (BIO_F_BUFFER_CTX *)b->ptr;
+
+    if (ctx == NULL || b->next_bio == NULL)
+        return 0;
     BIO_clear_retry_flags(b);
 
     /* If data is already buffered then use this first */