Null Pointer Dereference (NPD) (70)
In ecall_OBJ_nid2sn, invalid n fed to OBJ_nid2sn will cause NULL is returned to str (e.g. when ecall_OBJ_create is not called before), and then strlen(str) will crash
In ecall_ENGINE_get_name, ename is obtained from e, and can be null, then strlen can crash
In ecall_SSL_CIPHER_get_name, ret obtained from c can be null, then strlen(ret) can crash.
In ecall_SSL_set_fd, when ssl_hardening is never initialized before (get_ssl_hardening not called before), then m obtained is newly created and m->count is 0, cause output in_s with null in hashmapGet, then in SSL_copy_fields_to_in_struct, in->state crashes. What's more, out_s assigned with parameter can be null but without any check, then out->state crashes. Below are functions that have same problem:
Another simliar case is ecall_SSL_set_info_callback->SSL_copy_fields_to_out_struct, invalid in_s output out_s with null in hashmapGet, then out->state crash. Below are functions that have same problem:
In ecall_BN_to_ASN1_INTEGER -> BN_to_ASN1_INTEGER, when bn is null, BN_is_negative(bn) can crash.
ecall_X509_get_ex_data -> X509_get_ex_data -> CRYPTO_get_ex_data. When r in ECALL is fed with null, ad is 0x28, then ad->sk cause NPD.
ecall_SSL_CTX_get_client_CA_list -> SSL_CTX_get_client_CA_list. When ctx is null, ctx->client_CA crashes.
ecall_X509_get_cert_key_algor_algorithm->X509_get_cert_key_algor_algorithm. x->cert_info->key->algor can be null, then x->cert_info->key->algor->algorithm; cause NPD. Below are functions that have same problem:
ecall_SSL_use_PrivateKey->SSL_use_PrivateKey->ssl_cert_inst. ssl in SSL_use_PrivateKey can be null, then o from &ssl->cert is 0xf8, then *o == NULL crash.
ecall_SSL_set_connect_state->SSL_set_connect_state. s can be null, then s->server = 0; crash. Below are functions that have same problem:
ecall_BN_dup->BN_dup->BN_copy. A is from a->d and is null since a is newly allocated from BN_new. Then A[0] crashes. When i smaller then 0, A[1] crashes in case 3, case 2 and case 1
ecall_SSL_CTX_set_default_verify_paths->SSL_CTX_set_default_verify_paths. ctx can be null, then ctx->cert_store crashes
ecall_SSL_get_error->SSL_get_error->SSL_want_read (SSL_want). s can be null, then s->rwstate crashes
ecall_X509_check_issued->X509_check_issued->X509_NAME_cmp->i2d_X509_NAME->ASN1_item_i2d->asn1_item_flags_i2d->ASN1_item_ex_i2d->ef->asn1_ex_i2d->x509_name_encode->BUF_MEM_grow. str can be null, then str->length crashes.
ecall_SSL_CTX_set_cipher_list->SSL_CTX_set_cipher_list. ctx can be null, then ctx->method crashes
ecall_SSL_CTX_set_default_verify_paths->SSL_CTX_set_default_verify_paths->X509_STORE_set_default_paths->X509_STORE_add_lookup->sk_X509_LOOKUP_push (sk_push)->sk_insert. st->data can be null, st->data[st->num] crashes
ecall_X509_digest->X509_digest->ASN1_item_digest->ASN1_item_i2d->asn1_item_flags_i2d->ASN1_item_ex_i2d->asn1_template_ex_i2d->ASN1_item_ex_i2d->asn1_template_ex_i2d->ASN1_item_ex_i2d->asn1_i2d_ex_primitive->asn1_ex_i2c. pf can be null, then pf->prim_i2c crashes
ecall_EC_KEY_free->EC_KEY_free->EC_GROUP_free. group
ecall_SSL_CTX_use_PrivateKey_file->SSL_CTX_use_PrivateKey_file->BIO_new->execute_bio_ocall_malloc->bio_alloc_from_pool. When first call get_bio_mempool, m_memStart of returned pool is 0, then in pool_alloc, AddrFromIndex return p with null, then *p crashes
ecall_X509_set_ex_data->X509_set_ex_data->CRYPTO_set_ex_data->sk_void_set (sk_set). st->data can be null.
Null Pointer Dereference (NPD) (70)
In
ecall_OBJ_nid2sn, invalidnfed toOBJ_nid2snwill cause NULL is returned tostr(e.g. whenecall_OBJ_createis not called before), and thenstrlen(str)will crashIn
ecall_ENGINE_get_name,enameis obtained frome, and can be null, thenstrlencan crashIn
ecall_SSL_CIPHER_get_name,retobtained fromccan be null, thenstrlen(ret)can crash.In
ecall_SSL_set_fd, when ssl_hardening is never initialized before (get_ssl_hardeningnot called before), thenmobtained is newly created andm->countis 0, cause outputin_swith null inhashmapGet, then inSSL_copy_fields_to_in_struct,in->statecrashes. What's more,out_sassigned with parameter can be null but without any check, thenout->statecrashes. Below are functions that have same problem:in_scan be null, thenin_s->referencescrash)Another simliar case is
ecall_SSL_set_info_callback->SSL_copy_fields_to_out_struct, invalidin_soutputout_swith null inhashmapGet, thenout->statecrash. Below are functions that have same problem:In
ecall_BN_to_ASN1_INTEGER->BN_to_ASN1_INTEGER, whenbnis null, BN_is_negative(bn) can crash.ecall_X509_get_ex_data->X509_get_ex_data->CRYPTO_get_ex_data. Whenrin ECALL is fed with null,adis 0x28, thenad->skcause NPD.ecall_SSL_CTX_get_client_CA_list->SSL_CTX_get_client_CA_list. Whenctxis null,ctx->client_CAcrashes.ecall_X509_get_cert_key_algor_algorithm->X509_get_cert_key_algor_algorithm.x->cert_info->key->algorcan be null, thenx->cert_info->key->algor->algorithm;cause NPD. Below are functions that have same problem:ecall_SSL_use_PrivateKey->SSL_use_PrivateKey->ssl_cert_inst.sslinSSL_use_PrivateKeycan be null, thenofrom&ssl->certis 0xf8, then*o == NULLcrash.ecall_SSL_set_connect_state->SSL_set_connect_state.scan be null, thens->server = 0;crash. Below are functions that have same problem:s->certinSSL_get_certificate)s->certinSSL_get_privatekey)s->handshake_funcinSSL_do_handshake)ctx->cert_storeinSSL_CTX_get_cert_store)x->cert_infoinX509_sign)ctxinSSL_CTX_get_verify_mode)ctxinSSL_CTX_set_default_passwd_cb)ctxinSSL_CTX_ctrl)ctxandctx->digestinEVP_DigestFinal_ex)X509_get_extinX509_get_ext)ctxinSSL_CTX_get_verify_callback)ainX509_get_subject_name)einENGINE_get_name)x->cert_info->keyinX509_pubkey_digest->X509_get0_pubkey_bitstr)serverinSSL_select_next_proto,server[i])r->methinDH_free)ctxinSSL_CTX_sess_set_get_cb)ainBN_is_zero)ainBN_num_bits)einENGINE_get_id)pis from*ppwhich is one of ECALL parameters, ind2i_SSL_SESSION->asn1_GetSequence->ASN1_get_object)sinSSL_CTX_set_ex_data, then&s->ex_datais 0xd0,ad->skinCRYPTO_set_ex_datacrash)ecall_BN_dup->BN_dup->BN_copy.Ais froma->dand is null sinceais newly allocated fromBN_new. ThenA[0]crashes. Whenismaller then 0,A[1]crashes incase 3,case 2andcase 1ecall_SSL_CTX_set_default_verify_paths->SSL_CTX_set_default_verify_paths.ctxcan be null, thenctx->cert_storecrashesecall_SSL_get_error->SSL_get_error->SSL_want_read(SSL_want).scan be null, thens->rwstatecrashesecall_X509_check_issued->X509_check_issued->X509_NAME_cmp->i2d_X509_NAME->ASN1_item_i2d->asn1_item_flags_i2d->ASN1_item_ex_i2d->ef->asn1_ex_i2d->x509_name_encode->BUF_MEM_grow.strcan be null, thenstr->lengthcrashes.ecall_SSL_CTX_set_cipher_list->SSL_CTX_set_cipher_list.ctxcan be null, thenctx->methodcrashesecall_SSL_CTX_set_default_verify_paths->SSL_CTX_set_default_verify_paths->X509_STORE_set_default_paths->X509_STORE_add_lookup->sk_X509_LOOKUP_push(sk_push)->sk_insert.st->datacan be null,st->data[st->num]crashesecall_X509_digest->X509_digest->ASN1_item_digest->ASN1_item_i2d->asn1_item_flags_i2d->ASN1_item_ex_i2d->asn1_template_ex_i2d->ASN1_item_ex_i2d->asn1_template_ex_i2d->ASN1_item_ex_i2d->asn1_i2d_ex_primitive->asn1_ex_i2c.pfcan be null, thenpf->prim_i2ccrashesecall_EC_KEY_free->EC_KEY_free->EC_GROUP_free.groupecall_SSL_CTX_use_PrivateKey_file->SSL_CTX_use_PrivateKey_file->BIO_new->execute_bio_ocall_malloc->bio_alloc_from_pool. When first callget_bio_mempool,m_memStartof returnedpoolis 0, then inpool_alloc,AddrFromIndexreturnpwith null, then*pcrashesecall_X509_set_ex_data->X509_set_ex_data->CRYPTO_set_ex_data->sk_void_set(sk_set).st->datacan be null.