From: Anton Moryakov Date: Fri, 25 Jul 2025 12:43:15 +0000 (+0300) Subject: crypto: evp: fix potential null pointer dereference in EVP_DigestSignUpdate in m_sigver.c X-Git-Tag: openssl-3.6.0-alpha1~356 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=daa004d48438d67241b58592d43c3214dd3a903f;p=thirdparty%2Fopenssl.git crypto: evp: fix potential null pointer dereference in EVP_DigestSignUpdate in m_sigver.c Static analysis detected that EVP_DigestSign() could lead to null pointer dereference in EVP_DigestSignUpdate() when pctx->pmeth is NULL. The issue occurs in the legacy code path where pmeth is accessed without prior null check. This fix adds a proper null check for pctx->pmeth in the legacy section of EVP_DigestSignUpdate() to prevent the crash when the function is called through EVP_DigestSign() with improperly initialized context. The check is placed in EVP_DigestSignUpdate() rather than EVP_DigestSign() to maintain proper separation of concerns and follow OpenSSL's architectural patterns where lower-level functions handle their own parameter validation. Fixes potential crash in signature operations with legacy providers. CLA: trivial Signed-off-by: Anton Moryakov Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/28095) --- diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index b24a7451df4..dfb844b5336 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -434,6 +434,10 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) legacy: if (pctx != NULL) { + if (pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + return 0; + } /* do_sigver_init() checked that |digest_custom| is non-NULL */ if (pctx->flag_call_digest_custom && !ctx->pctx->pmeth->digest_custom(ctx->pctx, ctx))