Google Git
Sign in
boringssl / boringssl / 6f07d726c91d4df5c62e1ea985e780daa383f076^! / .
commit6f07d726c91d4df5c62e1ea985e780daa383f076[log] [tgz]
authorAdam Langley <agl@google.com>Fri Jan 27 13:58:00 2017 -0800
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Fri Jan 27 22:09:49 2017 +0000
tree26bc47bc7cd46195d3ac1f45155ecb3cb68a8ad0
parent42e3e191e41d547f2850076fa709f079de5c536c [diff]
Don't up_ref a NULL |CRYPTO_BUFFER|.

If an existing chain had a NULL placeholder for a leaf we could end up
trying to increment its reference count. That results in a crash at
configuration time. Found via the SSL_CTX API fuzzer.

BUG=oss-fuzz:480

Change-Id: I0ddc2cbde2e625015768f1bdc8da625e8a4f05fd
Reviewed-on: https://boringssl-review.googlesource.com/13383
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 52a386b..ed6ba0d 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c

@@ -295,7 +295,10 @@
     if (!sk_CRYPTO_BUFFER_push(new_chain, leaf)) {
       goto err;
     }
-    CRYPTO_BUFFER_up_ref(leaf);
+    /* |leaf| might be NULL if it's a “leafless” chain. */
+    if (leaf != NULL) {
+      CRYPTO_BUFFER_up_ref(leaf);
+    }
   }
 
   for (size_t i = 0; i < sk_X509_num(chain); i++) {