Prevent EBCDIC overread for very long strings
authorMatt Caswell <matt@openssl.org>
Thu, 28 Apr 2016 09:46:55 +0000 (10:46 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 3 May 2016 09:22:47 +0000 (10:22 +0100)
ASN1 Strings that are over 1024 bytes can cause an overread in
applications using the X509_NAME_oneline() function on EBCDIC systems.
This could result in arbitrary stack data being returned in the buffer.

Issue reported by Guido Vranken.

CVE-2016-2176

Reviewed-by: Andy Polyakov <appro@openssl.org>
crypto/x509/x509_obj.c

index f6c348fb0d2afbb986d31368cc7f75b72b270fbb..eaa03f2b883612f689ea0adca91fb5660cb3a2de 100644 (file)
@@ -130,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             type == V_ASN1_PRINTABLESTRING ||
             type == V_ASN1_TELETEXSTRING ||
             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-            ascii2ebcdic(ebcdic_buf, q, (num > (int)sizeof(ebcdic_buf))
-                         ? (int)sizeof(ebcdic_buf) : num);
+            if (num > (int)sizeof(ebcdic_buf))
+                num = sizeof(ebcdic_buf);
+            ascii2ebcdic(ebcdic_buf, q, num);
             q = ebcdic_buf;
         }
 #endif