Skip to content

Potential null pointer dereference in PySSLSession_richcompare #126106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
federicovalenso opened this issue Oct 29, 2024 · 1 comment
Closed

Potential null pointer dereference in PySSLSession_richcompare #126106

federicovalenso opened this issue Oct 29, 2024 · 1 comment
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes easy extension-modules C modules in the Modules dir topic-SSL type-bug An unexpected behavior, bug, or error

Comments

@federicovalenso
Copy link
Contributor

federicovalenso commented Oct 29, 2024
edited by bedevere-app bot
Loading

Bug report

Bug description:

Pointer left is dereferenced here, but null-pointer check is done later. Correct code should look like this:

    int result;
    if (left == NULL || right == NULL) {
        PyErr_BadInternalCall();
        return NULL;
    }

    PyTypeObject *sesstype = ((PySSLSession*)left)->ctx->state->PySSLSession_Type;

CPython versions tested on:

3.11

Operating systems tested on:

No response

Linked PRs
@federicovalenso federicovalenso added the type-bug An unexpected behavior, bug, or error label Oct 29, 2024
@picnixz picnixz changed the title Potential null pointer dereference Potential null pointer dereference in PySSLSession_richcompare Oct 29, 2024
@picnixz picnixz added extension-modules C modules in the Modules dir topic-SSL 3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes easy labels Oct 29, 2024
@picnixz
Copy link
Member

picnixz commented Oct 29, 2024
edited
Loading

Thanks for spotting this. This still happens on main. Feel free to open a PR (I can do it as well if you want).

Note: 3.11 is security-only and this does not seem to count as a security issue unless someone is able to provide me a PoC of an exploit using that null pointer dereference.

sobolevn added a commit to sobolevn/cpython that referenced this issue Oct 29, 2024
@sobolevn
pythongh-126106: Fix NULL possible derefrence in Modules/_ssl.c
496c94c
@bedevere-app bedevere-app bot mentioned this issue Oct 29, 2024
Merged
sobolevn added a commit that referenced this issue Oct 29, 2024
@sobolevn @picnixz
gh-126106: Fix NULL possible derefrence in Modules/_ssl.c (#126111)
a64a1c9 
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 29, 2024
@sobolevn @picnixz @miss-islington
pythongh-126106: Fix NULL possible derefrence in Modules/_ssl.c (p…
164dfec 
…ythonGH-126111)

(cherry picked from commit a64a1c9)

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Oct 29, 2024
@sobolevn @picnixz @miss-islington
pythongh-126106: Fix NULL possible derefrence in Modules/_ssl.c (p…
db55c7f 
…ythonGH-126111)

(cherry picked from commit a64a1c9)

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
This was referenced Oct 29, 2024
Merged
Merged
sobolevn added a commit that referenced this issue Oct 29, 2024
@miss-islington @sobolevn @picnixz
[3.12] gh-126106: Fix NULL possible derefrence in Modules/_ssl.c (G…
bc9ae4a 
…H-126111) (#126117)

gh-126106: Fix `NULL` possible derefrence in `Modules/_ssl.c` (GH-126111)
(cherry picked from commit a64a1c9)

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
sobolevn added a commit that referenced this issue Oct 29, 2024
@miss-islington @sobolevn @picnixz
[3.13] gh-126106: Fix NULL possible derefrence in Modules/_ssl.c (G…
e2c1884 
…H-126111) (#126116)

gh-126106: Fix `NULL` possible derefrence in `Modules/_ssl.c` (GH-126111)
(cherry picked from commit a64a1c9)

Co-authored-by: sobolevn <mail@sobolevn.me>
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
picnixz added a commit to picnixz/cpython that referenced this issue Dec 8, 2024
@sobolevn @picnixz
pythongh-126106: Fix NULL possible derefrence in Modules/_ssl.c (p…
5e21e4a 
…ython#126111)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
ebonnal pushed a commit to ebonnal/cpython that referenced this issue Jan 12, 2025
@sobolevn @picnixz @ebonnal
pythongh-126106: Fix NULL possible derefrence in Modules/_ssl.c (p…
a33f62e 
…ython#126111)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.12 only security fixes 3.13 bugs and security fixes 3.14 bugs and security fixes easy extension-modules C modules in the Modules dir topic-SSL type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sobolevn @picnixz @federicovalenso
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy