bpo-35746: Fix segfault in ssl's cert parser (GH-11569) (GH-11573)

Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue35746 (cherry picked from commit a37f52436f9aa4b9292878b72f3ff1480e2606c3) Co-authored-by: Christian Heimes <christian@python.org>
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2019-01-15 17:16:36 -0800
committer: Ned Deily <nad@python.org> 2019-01-15 20:16:36 -0500
commit: 216a4d83c3b72f4fdcd81b588dc3f42cc461739a (patch)
tree: 67bd149c36fb1f4c38aac5d237e6958c7145af71 /Modules
parent: d09e8cecf214b1de457feae01860f5592f912a8e (diff)
download: cpython-git-216a4d83c3b72f4fdcd81b588dc3f42cc461739a.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index a188d6a729..7365630a5e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1338,6 +1338,10 @@ _get_crl_dp(X509 *certificate) {
         STACK_OF(GENERAL_NAME) *gns;
 
         dp = sk_DIST_POINT_value(dps, i);
+        if (dp->distpoint == NULL) {
+            /* Ignore empty DP value, CVE-2019-5010 */
+            continue;
+        }
         gns = dp->distpoint->name.fullname;
 
         for (j=0; j < sk_GENERAL_NAME_num(gns); j++) {
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2019-01-15 17:16:36 -0800
committer	Ned Deily <nad@python.org>	2019-01-15 20:16:36 -0500
commit	216a4d83c3b72f4fdcd81b588dc3f42cc461739a (patch)
tree	67bd149c36fb1f4c38aac5d237e6958c7145af71 /Modules
parent	d09e8cecf214b1de457feae01860f5592f912a8e (diff)
download	cpython-git-216a4d83c3b72f4fdcd81b588dc3f42cc461739a.tar.gz