ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list

CONF_parse_list() invokes its callback with elem=NULL and len=0 for
empty list elements (e.g. consecutive separators like "A::B").
ciphersuite_cb() passed elem directly to memcpy() without checking for
NULL, triggering undefined behaviour on any input containing an empty
ciphersuite token.

Skip empty elements early by returning 1 before any pointer dereference.

Fixes #30919

Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:52 2026
(Merged from https://github.com/openssl/openssl/pull/31023)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fc12efaae1ab8f4830e0638bfd5e74d62e54f1b1..80fa976f47488a87ac14552378538f69cfa7ec90 100644 (file)
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1234,6 +1234,10 @@ static int ciphersuite_cb(const char *elem, int len, void *arg)
     /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
     char name[80];
 
+    /* CONF_parse_list signals empty elements with elem==NULL; skip them */
+    if (elem == NULL || len == 0)
+        return 1;
+
     if (len > (int)(sizeof(name) - 1))
         /* Anyway return 1 so we can parse rest of the list */
         return 1;