[openssl-dev] [openssl.org #3680] NULL pointer dereference in tls1_check_chain (ssl/t1_lib.c)
David Ramos via RT
rt at openssl.org
Thu Jan 29 19:33:59 UTC 2015
Hello,
Our UC-KLEE tool found a NULL pointer dereference bug in tls1_check_chain (ssl/t1_lib.c) affecting OpenSSL 1.0.2. The bug appears to have been introduced in commit 6660baee66e474058229911950e26e56f31fb0bf (12/26/2012).
The bug is triggered if either of the “goto end” statements are taken on lines (w.r.t. commit 4ac03295) 4125 or 4128, as these jumps bypass the assignment pf ‘cpk’ on line 4129.
The code then triggers a NULL pointer dereference when it dereferences ‘cpk’ on lines 4316 or 4332.
Please let me know if you have any questions.
Thanks,
-David
More information about the openssl-dev
mailing list