From 4d50a5467b0a208c61d163239a3544bae06343ea Mon Sep 17 00:00:00 2001
From: Zhou Qingyang <zhou1615@umn.edu>
Date: Tue, 12 Apr 2022 00:25:26 +0800
Subject: [PATCH] Fix wild pointer dereference in make_ocsp_response()

The function OCSP_basic_add1_status() will return NULL on malloc failure.
However the return value is not checked before being passed to
OCSP_SINGLERESP_add1_ext_i2d(), and there is a wild field pointer,
which could lead to wild pointer dereference.

Fix this by adding return value check

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18081)
---
 apps/ocsp.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 51f2b37f479..a2f974cf7ba 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1119,6 +1119,11 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
             single = OCSP_basic_add1_status(bs, cid,
                                             V_OCSP_CERTSTATUS_REVOKED,
                                             reason, revtm, thisupd, nextupd);
+            if (single == NULL) {
+                *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+                                             NULL);
+                goto end;
+            }
             if (invtm != NULL)
                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
                                              invtm, 0, 0);
-- 
2.47.2