OS: OpenBSD, Linux
OpenSSL version: 0.9.7j - 0.9.7m
Snippet from crypto/x509v3/v3_alt.c
static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
{
[...]
if(ctx->flags == CTX_TEST) return 1;
if(!ctx || (!ctx->subject_cert && !ctx->subject_req))
[...]
As you see first ctx is deferenced and 'flags' field is accessed and
only then ctx is tested for NULL. When ctx is NULL it leads to an
invalid memory access.
This bug is appears to be fixed in 0.9.8 branch. Here is a trivial patch
for 0.9.7m
diff -urN openssl-0.9.7m.orig/crypto/x509v3/v3_alt.c
openssl-0.9.7m.fixed/crypto/x509v3/v3_alt.c
--- openssl-0.9.7m.orig/crypto/x509v3/v3_alt.c Sun Jan 21 17:02:32 2007
+++ openssl-0.9.7m.fixed/crypto/x509v3/v3_alt.c Tue Nov 18 13:18:37 2008
@@ -310,7 +310,7 @@
X509_NAME_ENTRY *ne;
GENERAL_NAME *gen = NULL;
int i;
- if(ctx->flags == CTX_TEST) return 1;
+ if(ctx && ctx->flags == CTX_TEST) return 1;
if(!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
X509V3err(X509V3_F_COPY_EMAIL,X509V3_R_NO_SUBJECT_DETAILS);
goto err;
Regards,
Andrei Korostelev
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
