projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: acc0049)
Limit status message sisze in ts_get_status_check
authorDr. Stephen Henson <steve@openssl.org>
Tue, 2 Aug 2016 20:38:37 +0000 (21:38 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Thu, 4 Aug 2016 16:34:28 +0000 (17:34 +0100)
Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
crypto/ts/ts_rsp_verify.c patch | blob | history
include/openssl/ts.h patch | blob | history

diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 8ed973bdf8fa258260ce31e62becfc83c0344b9f..99f664b431e5335a2567ba5a9abe3fcf09eb8a11 100644 (file)
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -451,12 +451,14 @@ static int ts_check_status_info(TS_RESP *response)
 static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
 {
     int i;
-    unsigned int length = 0;
+    int length = 0;
     char *result = NULL;
     char *p;
 
     for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
         ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
+        if (ASN1_STRING_length(current) > TS_MAX_STATUS_LENGTH - length - 1)
+            return NULL;
         length += ASN1_STRING_length(current);
         length += 1;            /* separator character */
     }
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index db8247482b9c82669a171b37164062539ce07c0c..cd8f373c4cd235179fe2999e6cedc1ce1d1f595c 100644 (file)
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -346,6 +346,9 @@ int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
 /* At most we accept usec precision. */
 # define TS_MAX_CLOCK_PRECISION_DIGITS   6
 
+/* Maximum status message length */
+# define TS_MAX_STATUS_LENGTH   (1024 * 1024)
+
 /* No flags are set by default. */
 void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
 
Unnamed repository; edit this file 'description' to name the repository.