diff options
| author | David Benjamin <davidben@google.com> | 2016-05-03 14:50:44 +0300 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2016-05-03 19:34:59 +0300 |
| commit | 52a3bf2835200a7beabe349a85cb2355e42ab599 (patch) | |
| tree | c4be57c7a32bb81ffb476ac2924fc996a1b10dc1 /crypto/x509 | |
| parent | ddc69230f30ed53bf81e2e6755cb74f02f537b1a (diff) | |
Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.
Issue reported by Guido Vranken.
(Imported from upstream's 9b08619cb45e75541809b1154c90e1a00450e537.)
Change-Id: Ib2e1e7cd086f9c3f0d689d61947f8ec3e9220049
Reviewed-on: https://boringssl-review.googlesource.com/7842
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/x509_obj.c | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index 2195216b..a7f31e03 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -64,6 +64,13 @@ #include <openssl/obj.h> #include <openssl/x509.h> +/* + * Limit to ensure we don't overflow: much greater than + * anything enountered in practice. + */ + +#define NAME_ONELINE_MAX (1024 * 1024) + char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) { X509_NAME_ENTRY *ne; @@ -110,6 +117,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) type = ne->value->type; num = ne->value->length; + if (num > NAME_ONELINE_MAX) { + OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG); + goto end; + } q = ne->value->data; if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) { @@ -137,6 +148,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) lold = l; l += 1 + l1 + 1 + l2; + if (l > NAME_ONELINE_MAX) { + OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG); + goto end; + } if (b != NULL) { if (!BUF_MEM_grow(b, l + 1)) goto err; @@ -176,7 +191,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) return (p); err: OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - if (b != NULL) - BUF_MEM_free(b); + end: + BUF_MEM_free(b); return (NULL); } |