From 7e8938c4fc57511d12e36497db4da448cebc457f Mon Sep 17 00:00:00 2001 From: Andrey Tsygunka Date: Fri, 4 Apr 2025 14:58:40 +0300 Subject: [PATCH] Fix potential NULL pointer dereference in final_maxfragmentlen() In the final_maxfragmentlen() function, s->session is checked for NULL after it was dereferenced earlier. So move this NULL check to the top of the function. CLA: trivial Fixes: fa49560451 (Fix handling of max_fragment_length extension for PSK) Signed-off-by: Andrey Tsygunka Reviewed-by: Tomas Mraz Reviewed-by: Frederik Wedel-Heinen Reviewed-by: Paul Yang (Merged from https://github.com/openssl/openssl/pull/27272) (cherry picked from commit 28de1f5004c1083d358e6934552124a201e0251e) --- ssl/statem/extensions.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index c35c2ccd337..2d263196d94 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -1742,11 +1742,14 @@ static int final_early_data(SSL_CONNECTION *s, unsigned int context, int sent) static int final_maxfragmentlen(SSL_CONNECTION *s, unsigned int context, int sent) { + if (s->session == NULL) + return 1; + /* MaxFragmentLength defaults to disabled */ if (s->session->ext.max_fragment_len_mode == TLSEXT_max_fragment_length_UNSPECIFIED) s->session->ext.max_fragment_len_mode = TLSEXT_max_fragment_length_DISABLED; - if (s->session && USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) { + if (USE_MAX_FRAGMENT_LENGTH_EXT(s->session)) { s->rlayer.rrlmethod->set_max_frag_len(s->rlayer.rrl, GET_MAX_FRAGMENT_LENGTH(s->session)); s->rlayer.wrlmethod->set_max_frag_len(s->rlayer.wrl, -- 2.47.2