Potential null pointer dereference in `PySSLSession_richcompare`

[federicovalenso]

Bug report

Bug description:

Pointer left is dereferenced here, but null-pointer check is done later. Correct code should look like this:

    int result;
    if (left == NULL || right == NULL) {
        PyErr_BadInternalCall();
        return NULL;
    }

    PyTypeObject *sesstype = ((PySSLSession*)left)->ctx->state->PySSLSession_Type;

CPython versions tested on:

3.11

Operating systems tested on:

No response

Linked PRs

• gh-126106: Fix NULL possible dereference in Modules/_ssl.c #126111
• [3.13] gh-126106: Fix NULL possible derefrence in Modules/_ssl.c (GH-126111) #126116
• [3.12] gh-126106: Fix NULL possible derefrence in Modules/_ssl.c (GH-126111) #126117

[picnixz]

Thanks for spotting this. This still happens on main. Feel free to open a PR (I can do it as well if you want).

Note: 3.11 is security-only and this does not seem to count as a security issue unless someone is able to provide me a PoC of an exploit using that null pointer dereference.