[jira] [Commented] (PROTON-2919) Potential NULL dereference in SSL initialization path when calling X509_STORE_set_flags

Wed, 08 Apr 2026 07:07:39 -0700 


    [ 
https://issues.apache.org/jira/browse/PROTON-2919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18071983#comment-18071983
 ] 

Qi Xu commented on PROTON-2919:
-------------------------------

Thanks for your feedback! Here are more details.

## 1. Text of stack trace

```
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1431470==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 
0x7f3f5e4f0f44 bp 0x000000000002 sp 0x7ffee8a20738 T0)
==1431470==The signal is caused by a READ memory access.
==1431470==Hint: address points to the zero page.
#0 0x7f3f5e4f0f43 in X509_STORE_set_flags 
(/root/openssl_1.1_injected/lib/libcrypto.so.1.1+0x20af43)
#1 0x7f3f5e6a56ac in pni_init_ssl_domain 
/root/injection/qpid-proton/c/src/ssl/openssl.c:567
#2 0x7f3f5e6a5bbd in pn_ssl_domain 
/root/injection/qpid-proton/c/src/ssl/openssl.c:601
#3 0x7f3f5eca0b23 in proton::ssl_options_impl::ssl_options_impl(bool) 
/root/injection/qpid-proton/cpp/src/ssl_options.cpp:62
#4 0x7f3f5eca0cd7 in proton::ssl_server_options::impl::impl() 
/root/injection/qpid-proton/cpp/src/ssl_options_impl.hpp:44
#5 0x7f3f5eca0cd7 in 
proton::ssl_server_options::ssl_server_options(proton::ssl_certificate const&) 
/root/injection/qpid-proton/cpp/src/ssl_options.cpp:88
#6 0x557e2105a2b5 in hello_world_direct::on_container_start(proton::container&) 
/root/injection/qpid-proton/cpp-examples/ssl.cpp:98
#7 0x7f3f5ec5c4de in __pthread_once_slow 
/build/glibc-LcI20x/glibc-2.31/nptl/pthread_once.c:116
#8 0x7f3f5ec9aaad in __gthread_once 
/usr/include/x86_64-linux-gnu/c++/9/bits/gthr-default.h:700
#9 0x7f3f5ec9aaad in void std::call_once<void (proton::container::impl::)(), 
proton::container::impl*>(std::once_flag&, void 
(proton::container::impl::&&)(), proton::container::impl*&&) [clone 
.constprop.0] /usr/include/c++/9/mutex:683
#10 0x7f3f5ecaf49e in proton::container::impl::run(int) 
/root/injection/qpid-proton/cpp/src/proactor_container_impl.cpp:811
#11 0x557e21052ca7 in main /root/injection/qpid-proton/cpp-examples/ssl.cpp:180
#12 0x7f3f5e72f082 in __libc_start_main ../csu/libc-start.c:308
#13 0x557e2105102d in _start 
(/root/injection/qpid-proton/cpp-examples/bld/ssl+0x802d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
(/root/openssl_1.1_injected/lib/libcrypto.so.1.1+0x20af43) in 
X509_STORE_set_flags
==1431470==ABORTING

```



## 2. Env

git commit SHA: b19fbee7fc03d8e14791382416105fd4aed7ddb7

OpenSSL: 1.1.x

Compiler: gcc

OS: Ubuntu 22.04

 

## 3. Analysis

The crash occurs during SSL domain initialization when creating a Proton 
container with SSL enabled. From the stack trace, it appears that 
`SSL_CTX_get_cert_store()` may return a NULL pointer in some cases, and the 
code does not check it before calling `X509_STORE_set_flags()`.

```c
  X509_STORE* store = SSL_CTX_get_cert_store(domain->ctx);
  X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
```


Possible fix:

```c

  X509_STORE* store = SSL_CTX_get_cert_store(domain->ctx);
  if (store) {
    X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
  }
```



Please let me know if more detailed info is needed, I’d be happy to provide.

> Potential NULL dereference in SSL initialization path when calling 
> X509_STORE_set_flags
> ---------------------------------------------------------------------------------------
>
>                 Key: PROTON-2919
>                 URL: https://issues.apache.org/jira/browse/PROTON-2919
>             Project: Qpid Proton
>          Issue Type: Bug
>         Environment: Qpid Proton: latest master
> OpenSSL: 1.1.x
> Compiler: gcc
>            Reporter: Qi Xu
>            Assignee: Andrew Stitcher
>            Priority: Minor
>         Attachments: image-2026-03-10-18-26-55-532.png
>
>
> While testing the SSL initialization path in Qpid Proton, I encountered a 
> segmentation fault triggered during the initialization of an SSL domain. The 
> crash appears to occur when X509_STORE_set_flags() is called with a NULL 
> X509_STORE pointer.
> From the stack trace, it seems that the certificate store returned during SSL 
> domain initialization may be NULL in some cases, and the code path does not 
> currently perform a defensive check before calling X509_STORE_set_flags().
> This leads to a NULL pointer dereference inside OpenSSL.
> !image-2026-03-10-18-26-55-532.png!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to