From: Jiasheng Jiang <jiasheng@purdue.edu>
Date: Wed, 6 Mar 2024 16:08:06 +0000 (+0000)
Subject: Add check for xor_get_aid()
X-Git-Tag: openssl-3.3.0-alpha1~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc930bed20d7462afecbb9d947286a335975c04a;p=thirdparty%2Fopenssl.git

Add check for xor_get_aid()

Add check for the return value of xor_get_aid() in order to avoid NULL pointer deference.

For example, "algor" could be NULL if the allocation of X509_ALGOR_new() fails. As a result, i2d_X509_ALGOR() will return 0 and "ctx->aid" will be an invalid value NULL.

Fixes: f4ed6eed2c ("SSL_set1_groups_list(): Fix memory corruption with 40 groups and more")
Signed-off-by: Jiasheng Jiang <jiasheng@purdue.edu>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23764)
---

diff --git a/test/tls-provider.c b/test/tls-provider.c
index 53e1d53ffa7..6d66fdf8e18 100644
--- a/test/tls-provider.c
+++ b/test/tls-provider.c
@@ -2691,6 +2691,10 @@ static int xor_sig_setup_md(PROV_XORSIG_CTX *ctx,
     OPENSSL_free(ctx->aid);
     ctx->aid = NULL;
     ctx->aid_len = xor_get_aid(&(ctx->aid), ctx->sig->tls_name);
+    if (ctx->aid_len <= 0) {
+        EVP_MD_free(md);
+        return 0;
+    }
 
     ctx->mdctx = NULL;
     ctx->md = md;