Commit 0c45bd8d authored Apr 08, 2019 by Matt Caswell

Fix crash in X509_STORE_CTX_get_by_subject



If using a custom X509_LOOKUP_METHOD then calls to
X509_STORE_CTX_get_by_subject may crash due to an incorrectly initialised
X509_OBJECT being passed to the callback get_by_subject function.

Fixes #8673

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8698)

(cherry picked from commit b926f9de)

parent d7af8598

crypto/x509/x509_lu.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -297,6 +297,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
		if (ctx == NULL)
		return 0;

		stmp.type = X509_LU_NONE;
		stmp.data.ptr = NULL;

		CRYPTO_THREAD_write_lock(ctx->lock);
		tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
		CRYPTO_THREAD_unlock(ctx->lock);