33 lines
1.1 KiB
Diff
33 lines
1.1 KiB
Diff
|
commit 216a4d83c3b72f4fdcd81b588dc3f42cc461739a
|
||
|
Author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
|
||
|
Date: Tue Jan 15 17:16:36 2019 -0800
|
||
|
|
||
|
bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)
|
||
|
|
||
|
Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL
|
||
|
distribution points with empty DP or URI correctly. A malicious or buggy
|
||
|
certificate can result into segfault.
|
||
|
|
||
|
Signed-off-by: Christian Heimes <christian@python.org>
|
||
|
|
||
|
https://bugs.python.org/issue35746
|
||
|
(cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3)
|
||
|
|
||
|
Co-authored-by: Christian Heimes <christian@python.org>
|
||
|
|
||
|
diff --git Modules/_ssl.c Modules/_ssl.c
|
||
|
index a188d6a729..7365630a5e 100644
|
||
|
--- Modules/_ssl.c
|
||
|
+++ Modules/_ssl.c
|
||
|
@@ -1338,6 +1338,10 @@ _get_crl_dp(X509 *certificate) {
|
||
|
STACK_OF(GENERAL_NAME) *gns;
|
||
|
|
||
|
dp = sk_DIST_POINT_value(dps, i);
|
||
|
+ if (dp->distpoint == NULL) {
|
||
|
+ /* Ignore empty DP value, CVE-2019-5010 */
|
||
|
+ continue;
|
||
|
+ }
|
||
|
gns = dp->distpoint->name.fullname;
|
||
|
|
||
|
for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
|