kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add checks to X509_NAME_oneline()

Browse Source 
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.

Issue reported by Guido Vranken.

(Imported from upstream's 9b08619cb45e75541809b1154c90e1a00450e537.)

Change-Id: Ib2e1e7cd086f9c3f0d689d61947f8ec3e9220049
Reviewed-on: https://boringssl-review.googlesource.com/7842
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
David Benjamin 2016-05-03 07:50:44 -04:00 committed by Adam Langley
parent ddc69230f3
commit 52a3bf2835
3 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/err/x509.errordata
View File

@ -17,6 +17,7 @@ X509,115,KEY_TYPE_MISMATCH
X509,116,KEY_VALUES_MISMATCH X509,116,KEY_VALUES_MISMATCH
X509,117,LOADING_CERT_DIR X509,117,LOADING_CERT_DIR
X509,118,LOADING_DEFAULTS X509,118,LOADING_DEFAULTS
X509,135,NAME_TOO_LONG
X509,119,NEWER_CRL_NOT_NEWER X509,119,NEWER_CRL_NOT_NEWER
X509,120,NOT_PKCS7_SIGNED_DATA X509,120,NOT_PKCS7_SIGNED_DATA
X509,121,NO_CERTIFICATES_INCLUDED X509,121,NO_CERTIFICATES_INCLUDED

19
crypto/x509/x509_obj.c
View File

@ -64,6 +64,13 @@
#include <openssl/obj.h> #include <openssl/obj.h>
#include <openssl/x509.h> #include <openssl/x509.h>
/*
* Limit to ensure we don't overflow: much greater than
* anything enountered in practice.
*/
#define NAME_ONELINE_MAX (1024 * 1024)
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{ {
X509_NAME_ENTRY *ne; X509_NAME_ENTRY *ne;
@ -110,6 +117,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
type = ne->value->type; type = ne->value->type;
num = ne->value->length; num = ne->value->length;
if (num > NAME_ONELINE_MAX) {
OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);
goto end;
}
q = ne->value->data; q = ne->value->data;
if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) { if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) {
@ -137,6 +148,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
lold = l; lold = l;
l += 1 + l1 + 1 + l2; l += 1 + l1 + 1 + l2;
if (l > NAME_ONELINE_MAX) {
OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);
goto end;
}
if (b != NULL) { if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1)) if (!BUF_MEM_grow(b, l + 1))
goto err; goto err;
@ -176,7 +191,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
return (p); return (p);
err: err:
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
if (b != NULL) end:
BUF_MEM_free(b); BUF_MEM_free(b);
return (NULL); return (NULL);
} }

1
include/openssl/x509.h
View File

@ -1262,5 +1262,6 @@ OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
#define X509_R_UNSUPPORTED_ALGORITHM 132 #define X509_R_UNSUPPORTED_ALGORITHM 132
#define X509_R_WRONG_LOOKUP_TYPE 133 #define X509_R_WRONG_LOOKUP_TYPE 133
#define X509_R_WRONG_TYPE 134 #define X509_R_WRONG_TYPE 134
#define X509_R_NAME_TOO_LONG 135
#endif #endif