Commit 4e0d184a authored May 04, 2016 by Dr. Stephen Henson

Fix name length limit check.



The name length limit check in x509_name_ex_d2i() includes
the containing structure as well as the actual X509_NAME. This will
cause large CRLs to be rejected.

Fix by limiting the length passed to ASN1_item_ex_d2i() which will
then return an error if the passed X509_NAME exceeds the length.

RT#4531

Reviewed-by: Rich Salz <rsalz@openssl.org>

parent c73aa309

crypto/x509/x_name.c

+2 −4

Original line number	Diff line number	Diff line
		@@ -194,10 +194,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
		int i, j, ret;
		STACK_OF(X509_NAME_ENTRY) *entries;
		X509_NAME_ENTRY *entry;
		if (len > X509_NAME_MAX) {
		ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
		return 0;
		}
		if (len > X509_NAME_MAX)
		len = X509_NAME_MAX;
		q = p;

		/* Get internal representation of Name */