Avoid NULL deref in CBS_get_any_asn1_element().

This function is documented as allowing NULL for out_header_len.

ok jsing@

2 files changed, 6 insertions, 4 deletions

diff --git a/src/lib/libssl/bs_cbs.c b/src/lib/libssl/bs_cbs.c
index fc2eafff0e..0237f73681 100644
--- a/src/lib/libssl/bs_cbs.c
+++ b/src/lib/libssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */
+/*      $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
 
                 if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
                         /* indefinite length */
-                        *out_header_len = 2;
+                        if (out_header_len != NULL)
+                                *out_header_len = 2;
                         return CBS_get_bytes(cbs, out, 2);
                 }
 
diff --git a/src/lib/libssl/src/ssl/bs_cbs.c b/src/lib/libssl/src/ssl/bs_cbs.c
index fc2eafff0e..0237f73681 100644
--- a/src/lib/libssl/src/ssl/bs_cbs.c
+++ b/src/lib/libssl/src/ssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bs_cbs.c,v 1.5 2015/04/29 01:23:20 doug Exp $ */
+/*      $OpenBSD: bs_cbs.c,v 1.6 2015/04/29 01:27:34 doug Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -236,7 +236,8 @@ CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
 
                 if ((tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {
                         /* indefinite length */
-                        *out_header_len = 2;
+                        if (out_header_len != NULL)
+                                *out_header_len = 2;
                         return CBS_get_bytes(cbs, out, 2);
                 }