From d0cf9aeca512581235a63d9ed8e8a3c69039b9df Mon Sep 17 00:00:00 2001
From: schwarze <>
Date: Thu, 4 Jun 2020 21:21:03 +0000
Subject: When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1),
 return failure rather than silently constructing a broken X509_ATTRIBUTE
 object that might cause NULL pointer accesses later on.  This matters because
 X509_ATTRIBUTE_create() is used by documented API functions like
 PKCS7_add_attribute(3) and the NID comes straight from the user.

This fixes a bug found while working on documentation.

OK tb@  and  "thanks" bluhm@
---
 src/lib/libcrypto/asn1/x_attrib.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/lib/libcrypto/asn1/x_attrib.c')

diff --git a/src/lib/libcrypto/asn1/x_attrib.c b/src/lib/libcrypto/asn1/x_attrib.c
index bb74a1b6c7..04816eab77 100644
--- a/src/lib/libcrypto/asn1/x_attrib.c
+++ b/src/lib/libcrypto/asn1/x_attrib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_attrib.c,v 1.13 2015/02/14 14:56:45 jsing Exp $ */
+/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -174,10 +174,13 @@ X509_ATTRIBUTE_create(int nid, int atrtype, void *value)
 {
 	X509_ATTRIBUTE *ret = NULL;
 	ASN1_TYPE *val = NULL;
+	ASN1_OBJECT *oid;
 
+	if ((oid = OBJ_nid2obj(nid)) == NULL)
+		return (NULL);
 	if ((ret = X509_ATTRIBUTE_new()) == NULL)
 		return (NULL);
-	ret->object = OBJ_nid2obj(nid);
+	ret->object = oid;
 	ret->single = 0;
 	if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL)
 		goto err;
-- 
cgit v1.2.3-55-g6feb