vtls: alpn setting, check proto parameter

When setting the negotiated alpn protocol, either then length
must be 0 or a pointer must be passed.

Reported in Joshua's sarif data

Closes #18717

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index bfec585ce21051e60ab250fe54350c0708e196c1..9872e4c24d426dfbeef2211497dbdfe8bff04e43 100644 (file)
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -1993,6 +1993,11 @@ CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
       result = CURLE_SSL_CONNECT_ERROR;
       goto out;
     }
+    else if(!proto) {
+      DEBUGASSERT(0); /* with length, we need a pointer */
+      result = CURLE_SSL_CONNECT_ERROR;
+      goto out;
+    }
     else if((strlen(connssl->negotiated.alpn) != proto_len) ||
             memcmp(connssl->negotiated.alpn, proto, proto_len)) {
       failf(data, "ALPN: asked for '%s' from previous session, but server "