generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add checks to X509_NAME_oneline()

Browse Source 
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 77076dc944f76e821e4eae3a6563b853ce00c0ed)

Conflicts:
	crypto/x509/x509_err.c
	crypto/x509/x509_obj.c
This commit is contained in:
Dr. Stephen Henson 2016-04-28 19:45:44 +01:00
parent 66e731ab09
commit 9b08619cb4
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/x509/x509.h
View File

@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void);
# define X509_R_LOADING_CERT_DIR 103 # define X509_R_LOADING_CERT_DIR 103
# define X509_R_LOADING_DEFAULTS 104 # define X509_R_LOADING_DEFAULTS 104
# define X509_R_METHOD_NOT_SUPPORTED 124 # define X509_R_METHOD_NOT_SUPPORTED 124
# define X509_R_NAME_TOO_LONG 134
# define X509_R_NEWER_CRL_NOT_NEWER 132 # define X509_R_NEWER_CRL_NOT_NEWER 132
# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105
# define X509_R_NO_CRL_NUMBER 130 # define X509_R_NO_CRL_NUMBER 130

1
crypto/x509/x509_err.c
View File

@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
{ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"}, {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
{ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"}, {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
{ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"}, {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
{ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
{ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"}, {ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"},
{ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
"no cert set for us to verify"}, "no cert set for us to verify"},

19
crypto/x509/x509_obj.c
View File

@ -63,6 +63,13 @@
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/buffer.h> #include <openssl/buffer.h>
/*
* Limit to ensure we don't overflow: much greater than
* anything enountered in practice.
*/
#define NAME_ONELINE_MAX (1024 * 1024)
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{ {
X509_NAME_ENTRY *ne; X509_NAME_ENTRY *ne;
@ -112,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type; type = ne->value->type;
num = ne->value->length; num = ne->value->length;
if (num > NAME_ONELINE_MAX) {
X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
goto end;
}
q = ne->value->data; q = ne->value->data;
#ifdef CHARSET_EBCDIC #ifdef CHARSET_EBCDIC
if (type == V_ASN1_GENERALSTRING || if (type == V_ASN1_GENERALSTRING ||
@ -156,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l; lold = l;
l += 1 + l1 + 1 + l2; l += 1 + l1 + 1 + l2;
if (l > NAME_ONELINE_MAX) {
X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
goto end;
}
if (b != NULL) { if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1)) if (!BUF_MEM_grow(b, l + 1))
goto err; goto err;
@ -208,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p); return (p);
err: err:
X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE); X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
if (b != NULL) end:
BUF_MEM_free(b); BUF_MEM_free(b);
return (NULL); return (NULL);
} }