From 9b08619cb45e75541809b1154c90e1a00450e537 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 28 Apr 2016 19:45:44 +0100 Subject: [PATCH] Add checks to X509_NAME_oneline() Sanity check field lengths and sums to avoid potential overflows and reject excessively large X509_NAME structures. Issue reported by Guido Vranken. Reviewed-by: Matt Caswell (cherry picked from commit 77076dc944f76e821e4eae3a6563b853ce00c0ed) Conflicts: crypto/x509/x509_err.c crypto/x509/x509_obj.c --- crypto/x509/x509.h | 1 + crypto/x509/x509_err.c | 1 + crypto/x509/x509_obj.c | 19 +++++++++++++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 99337b849a..fc613ce635 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -1305,6 +1305,7 @@ void ERR_load_X509_strings(void); # define X509_R_LOADING_CERT_DIR 103 # define X509_R_LOADING_DEFAULTS 104 # define X509_R_METHOD_NOT_SUPPORTED 124 +# define X509_R_NAME_TOO_LONG 134 # define X509_R_NEWER_CRL_NOT_NEWER 132 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 # define X509_R_NO_CRL_NUMBER 130 diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 43cde18e49..1e779fefd9 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -151,6 +151,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"}, {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"}, {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"}, + {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"}, {ERR_REASON(X509_R_NEWER_CRL_NOT_NEWER), "newer crl not newer"}, {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), "no cert set for us to verify"}, diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index 500c9dfa54..f7daac25e9 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -63,6 +63,13 @@ #include #include +/* + * Limit to ensure we don't overflow: much greater than + * anything enountered in practice. + */ + +#define NAME_ONELINE_MAX (1024 * 1024) + char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) { X509_NAME_ENTRY *ne; @@ -112,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) type = ne->value->type; num = ne->value->length; + if (num > NAME_ONELINE_MAX) { + X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); + goto end; + } q = ne->value->data; #ifdef CHARSET_EBCDIC if (type == V_ASN1_GENERALSTRING || @@ -156,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) lold = l; l += 1 + l1 + 1 + l2; + if (l > NAME_ONELINE_MAX) { + X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); + goto end; + } if (b != NULL) { if (!BUF_MEM_grow(b, l + 1)) goto err; @@ -208,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) return (p); err: X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE); - if (b != NULL) - BUF_MEM_free(b); + end: + BUF_MEM_free(b); return (NULL); } -- 2.25.1