[jira] [Commented] (PROTON-2919) Potential NULL dereference in SSL initialization path when calling X509_STORE_set_flags

Tue, 24 Mar 2026 15:03:08 -0700 


    [ 
https://issues.apache.org/jira/browse/PROTON-2919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18068126#comment-18068126
 ] 

Andrew Stitcher commented on PROTON-2919:
-----------------------------------------

[~terminator111] - It would help if you could use simple text pasted from the 
error message to report the bug - we can't easily cut/paste from the report to 
investigate without retyping and that makes this harder than necessary to look 
into.

Also 'latest master' isn't a useful descriptor of the version you tested - 
there is no current branch with this name. Currently all releases are branched 
from 'main'. To be specific please use the git SHA, and/or tell us the release 
(I'm presuming the bug would be in 0.40).

If you can be more specific about the specific circumstances that will also 
help in reproduction of the bug - Ideally giving us some code using the API 
that triggers this bug would be ideal.

> Potential NULL dereference in SSL initialization path when calling 
> X509_STORE_set_flags
> ---------------------------------------------------------------------------------------
>
>                 Key: PROTON-2919
>                 URL: https://issues.apache.org/jira/browse/PROTON-2919
>             Project: Qpid Proton
>          Issue Type: Bug
>         Environment: Qpid Proton: latest master
> OpenSSL: 1.1.x
> Compiler: gcc
>            Reporter: Qi Xu
>            Priority: Minor
>         Attachments: image-2026-03-10-18-26-55-532.png
>
>
> While testing the SSL initialization path in Qpid Proton, I encountered a 
> segmentation fault triggered during the initialization of an SSL domain. The 
> crash appears to occur when X509_STORE_set_flags() is called with a NULL 
> X509_STORE pointer.
> From the stack trace, it seems that the certificate store returned during SSL 
> domain initialization may be NULL in some cases, and the code path does not 
> currently perform a defensive check before calling X509_STORE_set_flags().
> This leads to a NULL pointer dereference inside OpenSSL.
> !image-2026-03-10-18-26-55-532.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to