Issue:
In src/core/ssl.c:74-75, on failure to load the system CA database (trust store), the following code attempts to dereference (*error)->message unconditionally:
context->ssl->system_trust_db = g_tls_file_database_new(ca_bundle_file, error);
if (context->ssl->system_trust_db == NULL) {
g_warning("FATAL: Failed to load system CA trust store from %s: %s",
ca_bundle_file, (*error)->message);
g_free(context->ssl);
context->ssl = NULL;
return FALSE;
}If g_tls_file_database_new fails but does not set *error, dereferencing (*error)->message will cause a null pointer dereference crash. This results in an uncontrolled fail-open/fail-crash instead of the intended fail-closed for trust failures.
Example:
if (context->ssl->system_trust_db == NULL) {
g_warning("FATAL: Failed to load system CA trust store from %s: %s",
ca_bundle_file, (*error)->message); // (*error) may be NULL here!
g_free(context->ssl);
context->ssl = NULL;
return FALSE;
}Impact:
- Unhandled null dereference = process crash
- May result in service outage instead of clean abort
Suggested fix:
Add a check for the error pointer before dereferencing:
const char *err_msg = (error && *error) ? (*error)->message : "(no error set)";
g_warning("FATAL: Failed to load system CA trust store from %s: %s", ca_bundle_file, err_msg);Fail-closed must still occur, but without risk of accessing a null pointer.
Issue:
In
src/core/ssl.c:74-75, on failure to load the system CA database (trust store), the following code attempts to dereference(*error)->messageunconditionally:If
g_tls_file_database_newfails but does not set*error, dereferencing(*error)->messagewill cause a null pointer dereference crash. This results in an uncontrolled fail-open/fail-crash instead of the intended fail-closed for trust failures.Example:
Impact:
Suggested fix:
Add a check for the error pointer before dereferencing:
Fail-closed must still occur, but without risk of accessing a null pointer.