Skip to content

Comments

crypto: fix missing nullptr check on RSA_new()#61888

Open
ndossche wants to merge 3 commits intonodejs:mainfrom
ndossche:clesss-5
Open

crypto: fix missing nullptr check on RSA_new()#61888
ndossche wants to merge 3 commits intonodejs:mainfrom
ndossche:clesss-5

Conversation

@ndossche
Copy link
Contributor

@ndossche ndossche commented Feb 19, 2026

Not checking this can cause a null deref. Since there is already a null check at the bottom of the function with NewRSA().

Note: this was found by a static-dynamic analyser I'm developing.

@ndossche
crypto: fix missing nullptr check on RSA_new()
00b4cf8 
Not checking this can cause a null deref. Since there is already a
null check at the bottom of the function with `NewRSA()`.
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 19, 2026

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Feb 19, 2026
@codecov
Copy link

codecov bot commented Feb 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.77%. Comparing base (4a13a62) to head (09ed002).
⚠️ Report is 68 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_rsa.cc 0.00% 4 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #61888      +/-   ##
==========================================
+ Coverage   89.76%   89.77%   +0.01%     
==========================================
  Files         675      674       -1     
  Lines      204674   205610     +936     
  Branches    39330    39413      +83     
==========================================
+ Hits       183716   184583     +867     
- Misses      13235    13287      +52     
- Partials     7723     7740      +17
Files with missing lines Coverage Δ
src/crypto/crypto_rsa.cc 62.58% <0.00%> (-1.03%) ⬇️

... and 152 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

addaleax
addaleax requested changes Feb 20, 2026
View reviewed changes
src/crypto/crypto_rsa.cc Outdated
KeyType type = d_value->IsString() ? kKeyTypePrivate : kKeyTypePublic;

RSAPointer rsa(RSA_new());
if (!rsa) return {};
Copy link
Member

@addaleax addaleax Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this not throw an exception like the other return {}; sites?

Copy link
Contributor Author

@ndossche ndossche Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was confused about the exception handling. Line 438 with the EVPKeyPointer::NewRSA also does not do any exception throwing. Yet when I forced this rsa check to fail at this line during testing I did get an exception when running some tests using ./tools/test.py.

Copy link
Member

@addaleax addaleax Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I'd still expect some tests to fail in that case, maybe because something down the call stack throws an exception or just because the test doesn't properly work if key parsing doesn't work.

But that's bad practice, and methods should be consistent about whether they schedule an exception or not along with an empty return value (ideally signified by returning Maybe<> or MaybeLocal<> values)

@addaleax addaleax added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Feb 24, 2026
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 24, 2026
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 24, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71437/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleax addaleax addaleax approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ndossche @nodejs-github-bot @addaleax