libcurl at commit 04739054cdac5a0614fb94e3655e313c03399f35 contains a NULL-dereference in function encodeDN() when parsing the certificate of a server during the TLS connect-phase.

The vulnerable code is in lib/vtls/x509asn1.c:701:

static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn)
{
    struct dynbuf temp;
    Curl_dyn_init(&temp, MAX_X509_STR);
    
    for(p1 = dn->beg; p1 < dn->end;) {
        for(p2 = rdn.beg; p2 < rdn.end;) {
            // --- snip ---
            
            Curl_dyn_reset(&temp);
            result = ASN1tostr(&temp, &oid, 0);
            if(result)
                goto error;

            str = Curl_dyn_ptr(&temp);

            /* Encode delimiter.
                If attribute has a short uppercase name, delimiter is ", ". */
            for(p3 = str; ISUPPER(*p3); p3++)
                ;
        }
    }
}

When the oid that ASN1tostr tries to convert to a string is an element that is constructed such that oid.constructed is 1
ASN1tostr returns without touching the dynbuf temp. The following Curl_dyn_ptr() returns NULL and ISUPPER(*p3) causes
the application to crash.

Exploit scenario

The following exploit scenario demonstrates how to terminate an application using libcurl with the NULL dereference from above:

1. Setup a malicious server with a TLS certificate that triggers the crash
2. When a client connects over TLS, send the invalid certificate. This causes the client to terminate and no longer serve its purpose

Impact

The null dereference causes a DOS on applications using libcurl to do TLS-encrypted connections.
It requires no special setup to trigger the crash, since it is triggered during the connect-phase of the
connection. Thus I chose severity “Low”.