From 00b4cf839091e3d0b3de8caa6a4d98633c7b4953 Mon Sep 17 00:00:00 2001 From: ndossche Date: Thu, 19 Feb 2026 16:46:15 +0100 Subject: [PATCH 1/3] crypto: fix missing nullptr check on RSA_new() Not checking this can cause a null deref. Since there is already a null check at the bottom of the function with `NewRSA()`. --- src/crypto/crypto_rsa.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc index e7546cec4c1123..4347bf4efb5406 100644 --- a/src/crypto/crypto_rsa.cc +++ b/src/crypto/crypto_rsa.cc @@ -385,6 +385,8 @@ KeyObjectData ImportJWKRsaKey(Environment* env, KeyType type = d_value->IsString() ? kKeyTypePrivate : kKeyTypePublic; RSAPointer rsa(RSA_new()); + if (!rsa) return {}; + ncrypto::Rsa rsa_view(rsa.get()); ByteSource n = ByteSource::FromEncodedString(env, n_value.As()); From 34f25318d7339983c04f2db4c22547acadac9757 Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:53:00 +0100 Subject: [PATCH 2/3] fixup! throw --- src/crypto/crypto_rsa.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc index 4347bf4efb5406..28883799241216 100644 --- a/src/crypto/crypto_rsa.cc +++ b/src/crypto/crypto_rsa.cc @@ -385,7 +385,10 @@ KeyObjectData ImportJWKRsaKey(Environment* env, KeyType type = d_value->IsString() ? kKeyTypePrivate : kKeyTypePublic; RSAPointer rsa(RSA_new()); - if (!rsa) return {}; + if (!rsa) { + THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Unable to create RSA pointer"); + return {}; + } ncrypto::Rsa rsa_view(rsa.get()); From 09ed002511530c2106c2a25cc45e84b18bd35b40 Mon Sep 17 00:00:00 2001 From: ndossche <7771979+ndossche@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:53:29 +0100 Subject: [PATCH 3/3] fix: throw exception when EVPKeyPointer::NewRSA() fails --- src/crypto/crypto_rsa.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc index 28883799241216..62ee228945c45b 100644 --- a/src/crypto/crypto_rsa.cc +++ b/src/crypto/crypto_rsa.cc @@ -440,7 +440,10 @@ KeyObjectData ImportJWKRsaKey(Environment* env, } auto pkey = EVPKeyPointer::NewRSA(std::move(rsa)); - if (!pkey) return {}; + if (!pkey) { + THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Unable to create key pointer"); + return {}; + } return KeyObjectData::CreateAsymmetric(type, std::move(pkey)); }