Check for SSL_CTX_new returning NULL in ssl_sock_open(). (closes #3831)

Thanks to Yuan Kang and the security researchers at Columbia
University and the University of Virginia for reporting the bug.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index a6cdd10f011468de514f777509282354843f7819..da5efa8baa26d841a73633289eea947180bf0d91 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -334,7 +334,11 @@ static int ssl_socket_open (CONNECTION * conn)
   data = (sslsockdata *) safe_calloc (1, sizeof (sslsockdata));
   conn->sockdata = data;
 
-  data->ctx = SSL_CTX_new (SSLv23_client_method ());
+  if (! (data->ctx = SSL_CTX_new (SSLv23_client_method ())))
+  {
+    mutt_socket_close (conn);
+    return -1;
+  }
 
   /* disable SSL protocols as needed */
   if (!option(OPTTLSV1))