Adjust length of some strncpy() calls

author Nicola Tuveri <nicola.tuveri@ibm.com>

Tue, 19 May 2020 17:36:44 +0000 (19:36 +0200)

committer Nicola Tuveri <nic.tuv@gmail.com>

Fri, 22 May 2020 13:35:21 +0000 (15:35 +0200)
author Nicola Tuveri <nicola.tuveri@ibm.com>
Tue, 19 May 2020 17:36:44 +0000 (19:36 +0200)
committer Nicola Tuveri <nic.tuv@gmail.com>
Fri, 22 May 2020 13:35:21 +0000 (15:35 +0200)
diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_alt.c

index 5fece4f985dc9d4a8032a0bbcda8182cb81319f5..dd45546f6c69fd545a923b223f76850be0993194 100644 (file)
--- a/crypto/x509/v3_alt.c
+++ b/crypto/x509/v3_alt.c
@@ -128,7 +128,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
                  BIO_snprintf(othername, sizeof(othername), "othername: %s:",
                               oline);
              else
-                strncpy(othername, "othername:", sizeof(othername));
+                OPENSSL_strlcpy(othername, "othername:", sizeof(othername));
  
              /* check if the value is something printable */
              if (gen->d.otherName->value->type == V_ASN1_IA5STRING) {
diff --git a/providers/implementations/signature/rsa.c b/providers/implementations/signature/rsa.c

index 6f62c2b6486e0a439b2f2e545219554a7a62c81d..0e3885ec1dcfed8bcfecebb5377978c6eca30189 100644 (file)
--- a/providers/implementations/signature/rsa.c
+++ b/providers/implementations/signature/rsa.c
@@ -227,17 +227,22 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
          EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops);
          int md_nid = rsa_get_md_nid(md);
          WPACKET pkt;
+        size_t mdname_len = strlen(mdname);
  
          if (md == NULL
              || md_nid == NID_undef
              || !rsa_check_padding(md_nid, ctx->pad_mode)
-            || !rsa_check_parameters(md, ctx)) {
+            || !rsa_check_parameters(md, ctx)
+            || mdname_len >= sizeof(ctx->mdname)) {
              if (md == NULL)
                  ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
                                 "%s could not be fetched", mdname);
              if (md_nid == NID_undef)
                  ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED,
                                 "digest=%s", mdname);
+            if (mdname_len >= sizeof(ctx->mdname))
+                ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                               "%s exceeds name buffer length", mdname);
              EVP_MD_free(md);
              return 0;
          }
@@ -274,6 +279,8 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname,
  static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
                               const char *mdprops)
  {
+    size_t len;
+
      if (mdprops == NULL)
          mdprops = ctx->propq;
  
@@ -285,7 +292,12 @@ static int rsa_setup_mgf1_md(PROV_RSA_CTX *ctx, const char *mdname,
                         "%s could not be fetched", mdname);
          return 0;
      }
-    OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
+    len = OPENSSL_strlcpy(ctx->mgf1_mdname, mdname, sizeof(ctx->mgf1_mdname));
+    if (len >= sizeof(ctx->mgf1_mdname)) {
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                       "%s exceeds name buffer length", mdname);
+        return 0;
+    }
  
      return 1;
  }
@@ -321,6 +333,7 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation)
                  int mgf1md_nid = rsa_pss_params_30_maskgenhashalg(pss);
                  int min_saltlen = rsa_pss_params_30_saltlen(pss);
                  const char *mdname, *mgf1mdname;
+                size_t len;
  
                  mdname = rsa_oaeppss_nid2name(md_nid);
                  mgf1mdname = rsa_oaeppss_nid2name(mgf1md_nid);
@@ -337,9 +350,20 @@ static int rsa_signature_init(void *vprsactx, void *vrsa, int operation)
                      return 0;
                  }
  
-                strncpy(prsactx->mdname, mdname, sizeof(prsactx->mdname));
-                strncpy(prsactx->mgf1_mdname, mgf1mdname,
-                        sizeof(prsactx->mgf1_mdname));
+                len = OPENSSL_strlcpy(prsactx->mdname, mdname,
+                                      sizeof(prsactx->mdname));
+                if (len >= sizeof(prsactx->mdname)) {
+                    ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                                   "hash algorithm name too long");
+                    return 0;
+                }
+                len = OPENSSL_strlcpy(prsactx->mgf1_mdname, mgf1mdname,
+                                      sizeof(prsactx->mgf1_mdname));
+                if (len >= sizeof(prsactx->mgf1_mdname)) {
+                    ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_DIGEST,
+                                   "MGF1 hash algorithm name too long");
+                    return 0;
+                }
                  prsactx->saltlen = min_saltlen;
  
                  return rsa_setup_md(prsactx, mdname, prsactx->propq)
author	Nicola Tuveri <nicola.tuveri@ibm.com>
	Tue, 19 May 2020 17:36:44 +0000 (19:36 +0200)
committer	Nicola Tuveri <nic.tuv@gmail.com>
	Fri, 22 May 2020 13:35:21 +0000 (15:35 +0200)
crypto/x509/v3_alt.c		patch \| blob \| history
providers/implementations/signature/rsa.c		patch \| blob \| history