Commit 5e2e7c60d3 for openssl.org
commit 5e2e7c60d33727f7818c6c0e915b02fe11be1188
Author: Anton Moryakov <ant.v.moryakov@gmail.com>
Date: Wed Oct 29 21:21:39 2025 +0300
apps: ocsp.c: fix null dereference in ocsp_response
Report of the static analyzer:
Function 'OCSP_cert_to_id' may return NULL on allocation failure,
but its return value is dereferenced in 'OCSP_id_issuer_cmp'
without prior NULL check at ocsp.c:1088. This can lead to a null
pointer dereference and cause a segmentation fault, resulting
in a denial-of-service (DoS) condition. Although such failures
are rare, an attacker could potentially trigger them under memory
pressure. All other calls to 'OCSP_cert_to_id' in the codebase
(e.g., add_ocsp_cert, add_ocsp_serial) properly check for NULL,
making this instance a clear omission.
Correct explained:
Added a NULL check after calling OCSP_cert_to_id() when creating
'ca_id' inside the issuer lookup loop. If the allocation fails, the
function now safely returns an internal error response instead of
risking a crash. This change aligns the code with existing
error-handling patterns in the same file and improves robustness
against resource exhaustion attacks.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 8 09:01:09 2026
(Merged from https://github.com/openssl/openssl/pull/29033)
diff --git a/apps/ocsp.c b/apps/ocsp.c
index b86d14f56c..084eb86b2a 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1134,6 +1134,12 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
X509 *ca_cert = sk_X509_value(ca, jj);
OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert);
+ if (ca_id == NULL) {
+ *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
+ NULL);
+ goto end;
+ }
+
if (OCSP_id_issuer_cmp(ca_id, cid) == 0) {
found = 1;
if (resp_md != NULL)