https://bugs.exim.org/show_bug.cgi?id=2316
Bug ID: 2316 Summary: Missing Error Check in function X509_NAME_oneline() Product: Exim Version: 4.91 Hardware: x86 OS: Linux Status: NEW Severity: bug Priority: medium Component: TLS Assignee: jgh146...@wizmail.org Reporter: chi-l...@mails.tsinghua.edu.cn CC: exim-dev@exim.org Function X509_NAME_oneline() returns a valid string on success or NULL on error. However, the function X509_NAME_oneline() didn't check the return value is NULL or not. See the following details. line: 384 code: X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn)); The same situation is also occured in line 530 and 1739. ref: https://github.com/Exim/exim/blob/exim-4_91%2Bfixes/src/src/tls-openssl.c =================================================================== The following ref is about the specification of function X509_NAME_oneline. ref: https://www.openssl.org/docs/manmaster/man3/X509_NAME_oneline.html. We find the return value of this call been checked in openssl project with the version of openssl 1.1.2. Such as in openssl/crypto folder, crypto/x509/x_name.c ref: https://github.com/openssl/openssl/blob/master/crypto/x509/x_name.c 500: b = X509_NAME_oneline(name, NULL, 0); 501: if (!b) 502: return 0; /crypto/x509v3/v3_alt.c ref: https://github.com/openssl/openssl/blob/master/crypto/x509v3/v3_alt.c 104: if (X509_NAME_oneline(gen->d.dirn, oline, sizeof(oline)) == NULL 105: || !X509V3_add_value("DirName", oline, &ret)) 106: return NULL; -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##