Fix crash in X509_STORE_CTX_get_by_subject
authorMatt Caswell <matt@openssl.org>
Mon, 8 Apr 2019 10:22:37 +0000 (11:22 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 9 Apr 2019 09:26:44 +0000 (10:26 +0100)
If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.

Fixes #8673

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)

crypto/x509/x509_lu.c

index fa8153d..e994633 100644 (file)
@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
     if (ctx == NULL)
         return 0;
 
+    stmp.type = X509_LU_NONE;
+    stmp.data.ptr = NULL;
+
     CRYPTO_THREAD_write_lock(ctx->lock);
     tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
     CRYPTO_THREAD_unlock(ctx->lock);