crypto: fix missing nullptr check on RSA_new()#61888
crypto: fix missing nullptr check on RSA_new()#61888ndossche wants to merge 1 commit intonodejs:mainfrom
Conversation
Not checking this can cause a null deref. Since there is already a null check at the bottom of the function with `NewRSA()`.
|
Review requested:
|
nodejs-github-bot
added
c++
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #61888 +/- ##
==========================================
- Coverage 89.76% 89.74% -0.02%
==========================================
Files 675 674 -1
Lines 204674 204809 +135
Branches 39330 39361 +31
==========================================
+ Hits 183716 183808 +92
- Misses 13235 13272 +37
- Partials 7723 7729 +6
🚀 New features to boost your workflow:
|
| KeyType type = d_value->IsString() ? kKeyTypePrivate : kKeyTypePublic; | ||
|
|
||
| RSAPointer rsa(RSA_new()); | ||
| if (!rsa) return {}; |
There was a problem hiding this comment.
Why does this not throw an exception like the other return {}; sites?
There was a problem hiding this comment.
I was confused about the exception handling. Line 438 with the EVPKeyPointer::NewRSA also does not do any exception throwing. Yet when I forced this rsa check to fail at this line during testing I did get an exception when running some tests using ./tools/test.py.
There was a problem hiding this comment.
Right, I'd still expect some tests to fail in that case, maybe because something down the call stack throws an exception or just because the test doesn't properly work if key parsing doesn't work.
But that's bad practice, and methods should be consistent about whether they schedule an exception or not along with an empty return value (ideally signified by returning Maybe<> or MaybeLocal<> values)
3 participants
Not checking this can cause a null deref. Since there is already a null check at the bottom of the function with
NewRSA().Note: this was found by a static-dynamic analyser I'm developing.