diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c --- openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2015-04-01 12:41:27.998402503 +0200 +++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c 2015-04-02 15:24:26.781363674 +0200 @@ -151,6 +151,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) EVP_PKEY *pkey; ASN1_OCTET_STRING *os=NULL; + if (p7 == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); + return NULL; + } + /* + * The content field in the PKCS7 ContentInfo is optional, but that really + * only applies to inner content (precisely, detached signatures). + * + * When reading content, missing outer content is therefore treated as an + * error. + * + * When creating content, PKCS7_content_new() must be called before + * calling this method, so a NULL p7->d is always an error. + */ + if (p7->d.ptr == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); + return NULL; + } + i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -345,6 +366,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE X509_ALGOR *xalg=NULL; PKCS7_RECIP_INFO *ri=NULL; + if (p7 == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); + return NULL; + } + + if (p7->d.ptr == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + return NULL; + } + i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -352,6 +385,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE { case NID_pkcs7_signed: data_body=PKCS7_get_octet_string(p7->d.sign->contents); + if (!PKCS7_is_detached(p7) && data_body == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, + PKCS7_R_NO_CONTENT); + goto err; + } md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: @@ -640,6 +679,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; ASN1_OCTET_STRING *os=NULL; + if (p7 == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); + return 0; + } + + if (p7->d.ptr == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); + return 0; + } + EVP_MD_CTX_init(&ctx_tmp); i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -671,6 +722,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) /* If detached data then the content is excluded */ if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); + os = NULL; p7->d.sign->contents->d.data = NULL; } break; @@ -681,6 +733,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) { M_ASN1_OCTET_STRING_free(os); + os = NULL; p7->d.digest->contents->d.data = NULL; } break; @@ -818,6 +871,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) if (!PKCS7_is_detached(p7)) { + /* + * NOTE(emilia): I think we only reach os == NULL here because detached + * digested data support is broken. + */ + if (os == NULL) + goto err; btmp=BIO_find_type(bio,BIO_TYPE_MEM); if (btmp == NULL) { @@ -852,6 +911,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st STACK_OF(X509) *cert; X509 *x509; + if (p7 == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); + return 0; + } + + if (p7->d.ptr == NULL) + { + PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); + return 0; + } + if (PKCS7_type_is_signed(p7)) { cert=p7->d.sign->cert; diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c --- openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2007-02-03 10:51:59.000000000 +0100 +++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c 2015-04-02 15:18:12.874970022 +0200 @@ -473,6 +473,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) { + if (p7 == NULL || p7->d.ptr == NULL) + return NULL; if (PKCS7_type_is_signed(p7)) { return(p7->d.sign->signer_info);