This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.2.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit e5068fb9f228a11ebe423ab9953ff80c1abddc64 Author: Masakazu Kitajo <[email protected]> AuthorDate: Tue Mar 10 14:01:35 2026 -0600 Add a null check to OCSP stapling (#12951) * Add a null check to OCSP stapling Code analyzation found that the returned value is not checked before the memcpy. * Add debug log * Change the debug log to an error log (cherry picked from commit 37714677f5e3be671501b08b20672ddde5916b1a) --- src/iocore/net/OCSPStapling.cc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc index 23ac23c0a0..26bcdce3d4 100644 --- a/src/iocore/net/OCSPStapling.cc +++ b/src/iocore/net/OCSPStapling.cc @@ -1396,10 +1396,15 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *) time_t current_time = time(nullptr); if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time < current_time && !cinf->is_prefetched)) { ink_mutex_release(&cinf->stapling_mutex); - Dbg(dbg_ctl_ssl_ocsp, "ssl_callback_ocsp_stapling: failed to get certificate status for %s", cinf->certname); + Error("ssl_callback_ocsp_stapling: failed to get certificate status for %s", cinf->certname); return SSL_TLSEXT_ERR_NOACK; } else { unsigned char *p = static_cast<unsigned char *>(OPENSSL_malloc(cinf->resp_derlen)); + if (p == nullptr) { + ink_mutex_release(&cinf->stapling_mutex); + Dbg(dbg_ctl_ssl_ocsp, "ssl_callback_ocsp_stapling: failed to allocate memory for %s", cinf->certname); + return SSL_TLSEXT_ERR_NOACK; + } memcpy(p, cinf->resp_der, cinf->resp_derlen); ink_mutex_release(&cinf->stapling_mutex); SSL_set_tlsext_status_ocsp_resp(ssl, p, cinf->resp_derlen);
