https://bz.apache.org/bugzilla/show_bug.cgi?id=65902
Bug ID: 65902 Summary: modules/ssl/ssl_engine_vars.c: Add check after calling ASN1_STRING_new Product: Apache httpd-2 Version: 2.5-HEAD Hardware: PC Status: NEW Severity: normal Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: jiash...@iscas.ac.cn Target Milestone: --- Created attachment 38205 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38205&action=edit 0001-modules-ssl-ssl_engine_vars-Add-check-after-calling-ASN1_STRING_new As the potential failure of the memory allocation, the 'ret' could NULL pointer if fails. And I have checked the OPENSSL docs of the 'd2i_DISPLAYTEXT' (Link: https://www.openssl.org/docs/man3.0/man3/d2i_DISPLAYTEXT.html), it could accept NULL pointer as a valid parameter and return success. Then 'ret' will be dereferenced in ASN1_STRING_print_ex(). Therefore, it should be better to check ASN1_STRING_new() and return error if fails. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org