Commit 1c81a595 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Add checks to X509_NAME_oneline() 



Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.

Issue reported by Guido Vranken.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(cherry picked from commit 9b08619c)

Conflicts:
	crypto/x509/x509.h
	crypto/x509/x509_err.c
parent 0b34cf82

crypto/x509/x509.h

+1 −0
Original line number Diff line number Diff line
@@ -1281,6 +1281,7 @@ void ERR_load_X509_strings(void); 
# define X509_R_LOADING_CERT_DIR                          103

# define X509_R_LOADING_DEFAULTS                          104

# define X509_R_METHOD_NOT_SUPPORTED                      124

# define X509_R_NAME_TOO_LONG                             134

# define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY              105

# define X509_R_PUBLIC_KEY_DECODE_ERROR                   125

# define X509_R_PUBLIC_KEY_ENCODE_ERROR                   126

crypto/x509/x509_err.c

+1 −0
Original line number Diff line number Diff line
@@ -145,6 +145,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { 
    {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},

    {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},

    {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},

    {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},

    {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),

     "no cert set for us to verify"},

    {ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR), "public key decode error"},

crypto/x509/x509_obj.c

+17 −2
Original line number Diff line number Diff line
@@ -63,6 +63,13 @@ 
#include <openssl/x509.h>

#include <openssl/buffer.h>



/*

 * Limit to ensure we don't overflow: much greater than

 * anything enountered in practice.

 */



#define NAME_ONELINE_MAX    (1024 * 1024)



char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)

{

    X509_NAME_ENTRY *ne;
@@ -112,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) 


        type = ne->value->type;

        num = ne->value->length;

        if (num > NAME_ONELINE_MAX) {

            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);

            goto end;

        }

        q = ne->value->data;

#ifdef CHARSET_EBCDIC

        if (type == V_ASN1_GENERALSTRING ||
@@ -156,6 +167,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) 


        lold = l;

        l += 1 + l1 + 1 + l2;

        if (l > NAME_ONELINE_MAX) {

            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);

            goto end;

        }

        if (b != NULL) {

            if (!BUF_MEM_grow(b, l + 1))

                goto err;
@@ -208,7 +223,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) 
    return (p);

 err:

    X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);

    if (b != NULL)

 end:

    BUF_MEM_free(b);

    return (NULL);

}