Fix wild pointer dereference in make_ocsp_response()

The function OCSP_basic_add1_status() will return NULL on malloc failure.
However the return value is not checked before being passed to
OCSP_SINGLERESP_add1_ext_i2d(), and there is a wild field pointer,
which could lead to wild pointer dereference.

Fix this by adding return value check

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18081)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 51f2b37f479fd110f0050d278052e19e6b5c87e9..a2f974cf7ba071f9545ce0ae34c652bd3675b564 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1119,6 +1119,11 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
             single = OCSP_basic_add1_status(bs, cid,
                                             V_OCSP_CERTSTATUS_REVOKED,
                                             reason, revtm, thisupd, nextupd);
+            if (single == NULL) {
+                *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+                                             NULL);
+                goto end;
+            }
             if (invtm != NULL)
                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
                                              invtm, 0, 0);