romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 01:01:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

openssl: fix crash on missing cert password

Browse source 
- Return 0 for password length if OpenSSL is expecting a certificate
  password but the user did not provide one.

Prior to this change libcurl would crash if OpenSSL called the certificate
password callback in libcurl but no password was provided (NULL).

Reported-by: Roman Zharkov

Fixes https://github.com/curl/curl/issues/16806
Closes https://github.com/curl/curl/pull/16807
This commit is contained in:
Jay Satiro 2025-03-24 02:48:01 -04:00
parent 18f04faef9
commit e601668154
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/vtls/openssl.c
View file

@ -931,14 +931,14 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
}
static int passwd_callback(char *buf, int num, int encrypting,
void *global_passwd)
void *password)
{
DEBUGASSERT(0 == encrypting);
if(!encrypting && num >= 0) {
int klen = curlx_uztosi(strlen((char *)global_passwd));
if(!encrypting && num >= 0 && password) {
int klen = curlx_uztosi(strlen((char *)password));
if(num > klen) {
memcpy(buf, global_passwd, klen + 1);
memcpy(buf, password, klen + 1);
return klen;
}
}