This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 37714677f5 Add a null check to OCSP stapling (#12951)
37714677f5 is described below
commit 37714677f5e3be671501b08b20672ddde5916b1a
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Tue Mar 10 14:01:35 2026 -0600
Add a null check to OCSP stapling (#12951)
* Add a null check to OCSP stapling
Code analyzation found that the returned value is not checked before the
memcpy.
* Add debug log
* Change the debug log to an error log
---
src/iocore/net/OCSPStapling.cc | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 0a50416765..fa3527dc40 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1406,10 +1406,15 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
time_t current_time = time(nullptr);
if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time <
current_time && !cinf->is_prefetched)) {
ink_mutex_release(&cinf->stapling_mutex);
- Dbg(dbg_ctl_ssl_ocsp, "ssl_callback_ocsp_stapling: failed to get
certificate status for %s", cinf->certname);
+ Error("ssl_callback_ocsp_stapling: failed to get certificate status for
%s", cinf->certname);
return SSL_TLSEXT_ERR_NOACK;
} else {
unsigned char *p = static_cast<unsigned char
*>(OPENSSL_malloc(cinf->resp_derlen));
+ if (p == nullptr) {
+ ink_mutex_release(&cinf->stapling_mutex);
+ Dbg(dbg_ctl_ssl_ocsp, "ssl_callback_ocsp_stapling: failed to allocate
memory for %s", cinf->certname);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
memcpy(p, cinf->resp_der, cinf->resp_derlen);
ink_mutex_release(&cinf->stapling_mutex);
SSL_set_tlsext_status_ocsp_resp(ssl, p, cinf->resp_derlen);
