From: mat <mateiignat03@gmail.com>
Date: Wed, 29 Apr 2026 06:08:44 +0000 (+0300)
Subject: ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=dbf949c4b2f403d4b212e045adfe0686755bb229;p=thirdparty%2Fopenssl.git

ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list

CONF_parse_list() invokes its callback with elem=NULL and len=0 for
empty list elements (e.g. consecutive separators like "A::B").
ciphersuite_cb() passed elem directly to memcpy() without checking for
NULL, triggering undefined behaviour on any input containing an empty
ciphersuite token.

Skip empty elements early by returning 1 before any pointer dereference.

Fixes #30919

Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Tue May 26 08:56:52 2026
(Merged from https://github.com/openssl/openssl/pull/31023)
---

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fc12efaae1a..80fa976f474 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1234,6 +1234,10 @@ static int ciphersuite_cb(const char *elem, int len, void *arg)
     /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
     char name[80];
 
+    /* CONF_parse_list signals empty elements with elem==NULL; skip them */
+    if (elem == NULL || len == 0)
+        return 1;
+
     if (len > (int)(sizeof(name) - 1))
         /* Anyway return 1 so we can parse rest of the list */
         return 1;