A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful features
in #13972 you fixed a possible NULL dereference in the ASN1tostr() function.
The root cause was that when converting a Curl_asn1Element with length = 0 to a string,
the dynbuf temp in ASN1tostr() does not get initialized through
one path of the ASN1tostr() function such that Curl_dyn_ptr(&temp) then returns NULL.
Unfortunately there are at least 4 more paths through ASN1tostr() and its helper functions that lead to the same
outcome, involving the functions:
utf8asn1str()
octet2str()
OID2str()
This PR tries to fix the NULL derefs in one place instead of all the helper functions above.
bagder
commented
1 week ago
Hello,
in #13972 you fixed a possible NULL dereference in the
ASN1tostr()function. The root cause was that when converting aCurl_asn1Elementwith length = 0 to a string, the dynbuftempinASN1tostr()does not get initialized through one path of theASN1tostr()function such thatCurl_dyn_ptr(&temp)then returns NULL.Unfortunately there are at least 4 more paths through
ASN1tostr()and its helper functions that lead to the same outcome, involving the functions:utf8asn1str()octet2str()OID2str()This PR tries to fix the NULL derefs in one place instead of all the helper functions above.
For reference, I attached all 4 certificates that cause a NULL dereference: crash-ecf257c87027696ed7f041bb764e0028adb95408 crash-26e2227eeeac47626b14bedfa6793b7c85223fca crash-da35663a566f4c1ccd929bb658b64e2ab925cd07 crash-fddfc08fd1b21a188f99692c8aaf85fdc560ef5d