Commit dbf949c4b2 for openssl.org

commit dbf949c4b2f403d4b212e045adfe0686755bb229
Author: mat <mateiignat03@gmail.com>
Date:   Wed Apr 29 09:08:44 2026 +0300

    ssl: guard ciphersuite_cb() against NULL elem from CONF_parse_list

    CONF_parse_list() invokes its callback with elem=NULL and len=0 for
    empty list elements (e.g. consecutive separators like "A::B").
    ciphersuite_cb() passed elem directly to memcpy() without checking for
    NULL, triggering undefined behaviour on any input containing an empty
    ciphersuite token.

    Skip empty elements early by returning 1 before any pointer dereference.

    Fixes #30919

    Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Tue May 26 08:56:52 2026
    (Merged from https://github.com/openssl/openssl/pull/31023)

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fc12efaae1..80fa976f47 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1234,6 +1234,10 @@ static int ciphersuite_cb(const char *elem, int len, void *arg)
     /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
     char name[80];

+    /* CONF_parse_list signals empty elements with elem==NULL; skip them */
+    if (elem == NULL || len == 0)
+        return 1;
+
     if (len > (int)(sizeof(name) - 1))
         /* Anyway return 1 so we can parse rest of the list */
         return 1;