From 09abc5bf0229b90d3588a393613e09d669ec3581 Mon Sep 17 00:00:00 2001
From: doug <>
Date: Sun, 15 Mar 2015 22:52:17 +0000
Subject: Avoid a NULL pointer deref when X509_get_pubkey() returns NULL.

A NULL pointer could be dereferenced when X509_REQ_set_pubkey() calls
X509_PUBKEY_set() with pktmp.

OpenSSL says it's the fix for CVE-2015-0288, but there aren't any public
details yet to confirm.  Either way, we should fix this.

Based on OpenSSL commit 28a00bcd8e318da18031b2ac8778c64147cd54f9
and BoringSSL commit 9d102ddbc0f6ed835ed12272a3d8a627d6a8e728.

"looks sane" beck@
ok miod@, bcook@
---
 src/lib/libcrypto/x509/x509_req.c         | 6 ++++--
 src/lib/libssl/src/crypto/x509/x509_req.c | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 452ce0a512..8813f372cc 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */
+/* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
 		goto err;
 
-	pktmp = X509_get_pubkey(x);
+	if ((pktmp = X509_get_pubkey(x)) == NULL)
+		goto err;
+
 	i = X509_REQ_set_pubkey(ret, pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i)
diff --git a/src/lib/libssl/src/crypto/x509/x509_req.c b/src/lib/libssl/src/crypto/x509/x509_req.c
index 452ce0a512..8813f372cc 100644
--- a/src/lib/libssl/src/crypto/x509/x509_req.c
+++ b/src/lib/libssl/src/crypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.16 2014/09/28 10:50:33 miod Exp $ */
+/* $OpenBSD: x509_req.c,v 1.17 2015/03/15 22:52:17 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -94,7 +94,9 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 	if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x)))
 		goto err;
 
-	pktmp = X509_get_pubkey(x);
+	if ((pktmp = X509_get_pubkey(x)) == NULL)
+		goto err;
+
 	i = X509_REQ_set_pubkey(ret, pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i)
-- 
cgit v1.2.3-55-g6feb