When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return

failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on.  This matters because
X509_ATTRIBUTE_create() is used by documented API functions like
PKCS7_add_attribute(3) and the NID comes straight from the user.

This fixes a bug found while working on documentation.

OK tb@  and  "thanks" bluhm@

1 files changed, 5 insertions, 2 deletions

diff --git a/src/lib/libcrypto/asn1/x_attrib.c b/src/lib/libcrypto/asn1/x_attrib.c
index bb74a1b6c7..04816eab77 100644
--- a/src/lib/libcrypto/asn1/x_attrib.c
+++ b/src/lib/libcrypto/asn1/x_attrib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_attrib.c,v 1.13 2015/02/14 14:56:45 jsing Exp $ */
+/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -174,10 +174,13 @@ X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
 {
         X509_ATTRIBUTE *ret = NULL;
         ASN1_TYPE *val = NULL;
+        ASN1_OBJECT *oid;
 
+        if ((oid = OBJ_nid2obj(nid)) == NULL)
+                return (NULL);
         if ((ret = X509_ATTRIBUTE_new()) == NULL)
                 return (NULL);
-        ret->object = OBJ_nid2obj(nid);
+        ret->object = oid;
         ret->single = 0;
         if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
                 goto err;