diff options
| author | Victor Stinner <vstinner@redhat.com> | 2019-02-26 00:17:02 (GMT) |
|---|---|---|
| committer | larryhastings <larry@hastings.org> | 2019-02-26 00:17:02 (GMT) |
| commit | efec7631edf3b9480dc3988c97ffef94df8800da (patch) | |
| tree | 8d1520faffca8f0cce45f31fab2d8eca60ab5843 /Modules/_ssl.c | |
| parent | 8bcbc7896d1fe1c289bae339d408fdf1472a00fa (diff) | |
| download | cpython-efec7631edf3b9480dc3988c97ffef94df8800da.zip cpython-efec7631edf3b9480dc3988c97ffef94df8800da.tar.gz cpython-efec7631edf3b9480dc3988c97ffef94df8800da.tar.bz2 | |
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (#11867)
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
distribution points with empty DP or URI correctly. A malicious or buggy
certificate can result into segfault.
Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas
Edet of Cisco.
Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
Diffstat (limited to 'Modules/_ssl.c')
| -rw-r--r-- | Modules/_ssl.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c index 8648267..f721391 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -1194,6 +1194,10 @@ _get_crl_dp(X509 *certificate) { STACK_OF(GENERAL_NAME) *gns; dp = sk_DIST_POINT_value(dps, i); + if (dp->distpoint == NULL) { + /* Ignore empty DP value, CVE-2019-5010 */ + continue; + } gns = dp->distpoint->name.fullname; for (j=0; j < sk_GENERAL_NAME_num(gns); j++) { |