Google Git
Sign in
pigweed / third_party / boringssl / boringssl / 8a69c0d4f8f412432f80dd36ee5987fb1675bfbc
commit8a69c0d4f8f412432f80dd36ee5987fb1675bfbc[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Jan 31 13:14:54 2023 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Jan 31 18:27:58 2023 +0000
treef3033d8bbe22824965046c235449d3d55300366a
parent507ac830036d7531489490831814cf03e0d7c4d6 [diff]
Check for null value in set_dist_point_name.

CONF_VALUEs are a mess. They show up in three forms:

- When parsed from a config file (in a CONF), I believe name and value
  are never NULL.

- Internally, CONF represents sections as funny CONF_VALUEs where name
  is NULL, and value is a STACK_OF(CONF_VALUE) of the wrong type. This
  is ridiculous and should be a separate type, though I don't believe it
  ever leaks outside the public API.

- When created by X509V3_parse_list, it is possible for them to be
  value-less, with a NULL value.

v2i functions can see the last case, and set_dist_point_name comes from
a v2i function. Add a missing NULL check. This only impacts the unsafe,
stringly-typed extensions-building APIs that no one should be using
anyway.

Also fix the name of the test I added in the previous CL. I didn't quite
follow the existing convention.

Fixed: oss-fuzz:55558
Change-Id: I1a2403312f3ce59007d23fe7e226f2e602653019
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56705
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
2 files changed
tree: f3033d8bbe22824965046c235449d3d55300366a
  1. .github/
  2. cmake/
  3. crypto/
  4. decrepit/
  5. fuzz/
  6. include/
  7. rust/
  8. ssl/
  9. third_party/
  10. tool/
  11. util/
  12. .clang-format
  13. .gitignore
  14. API-CONVENTIONS.md
  15. BREAKING-CHANGES.md
  16. BUILDING.md
  17. CMakeLists.txt
  18. codereview.settings
  19. CONTRIBUTING.md
  20. FUZZING.md
  21. go.mod
  22. go.sum
  23. INCORPORATING.md
  24. LICENSE
  25. OpenSSLConfig.cmake
  26. PORTING.md
  27. README.md
  28. SANDBOXING.md
  29. sources.cmake
  30. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

There are other files in this directory which might be helpful: