Dear all,
I think the following snippet from OBJ_obj2txt() is missing a NULL-pointer
check.
s=OBJ_nid2ln(nid);
if (s == NULL)
s=OBJ_nid2sn(nid);
if (buf)
BUF_strlcpy(buf,s,buf_len);
OBJ_nid2sn() may return NULL, in this case BUF_strlcpy() dereferences
the NULL pointer. This problem can be triggered from an external test
application.
If the parameter has neither ln nor sn, I suggest that -1 is returned.
The attached short patch against today's snapshot fixes this problem
Best regards,
Martin
--- crypto/objects/obj_dat.c.orig 2008-11-12 05:00:17.000000000 +0100
+++ crypto/objects/obj_dat.c 2009-11-02 18:18:20.000000000 +0100
@@ -466,7 +466,7 @@
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
{
int i,n=0,len,nid, first, use_bn;
- BIGNUM *bl;
+ BIGNUM *bl = NULL;
unsigned long l;
const unsigned char *p;
char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
@@ -483,6 +483,8 @@
s=OBJ_nid2ln(nid);
if (s == NULL)
s=OBJ_nid2sn(nid);
+ if (s == NULL)
+ goto err;
if (buf)
BUF_strlcpy(buf,s,buf_len);
n=strlen(s);
@@ -494,7 +496,6 @@
p=a->data;
first = 1;
- bl = NULL;
while (len > 0)
{
