Skip to content
Browse files

Fix potential double-free in --x509-alt-username (CVE-2017-7521)

We didn't check the return value of ASN1_STRING_to_UTF8() in
extract_x509_extension().  Ignoring such a failure could result in buf
being free'd twice.  An error in ASN1_STRING_to_UTF8() can be caused
remotely if the peer can make the local process run out of memory.

The problem can only be triggered for configurations that use the
--x509-alt-username option with an x509 extension (i.e. the option
parameter starts with "ext:").

This issue was discovered, analysed and reported to the OpenVPN team by
Guido Vranken.

Extensive testing by Guido Vranken gives confidence that this function
is very unlikely to fail in real-world usage (using subjectAltName or
issuerAltName extensions) for other reasons than memory exhaustion.

CVE: 2017-7521
Signed-off-by: Steffan Karger <>
Acked-by: Gert Doering <>
Acked-by: David Sommerseth <>
Acked-by: Guido Vranken <>
Message-Id: <>
Signed-off-by: Gert Doering <>
  • Loading branch information...
syzzer authored and cron2 committed Jun 19, 2017
1 parent d2a1918 commit cb4e35ece4a5b70b10ef9013be3bff263d82f32b
Showing with 11 additions and 1 deletion.
  1. +7 −0 Changes.rst
  2. +4 −1 src/openvpn/ssl_verify_openssl.c
@@ -318,6 +318,13 @@ Security
server. That can eventuall cause the server to run out of memory, and thereby
causing the server process to terminate. Discovered and reported to the
OpenVPN security team by Guido Vranken. (OpenSSL builds only.)
- CVE-2017-7521: Fix a potential post-authentication remote code execution
attack on servers that use the ``--x509-alt-username`` option with an X.509
extension field (option argument prefixed with ``ext:``). A client that can
cause a server to run out-of-memory (see above) might be able to cause the
server to double free, which in turn might lead to remote code execution.
Discovered and reported to the OpenVPN security team by Guido Vranken.
(OpenSSL builds only.)

User-visible Changes
@@ -156,7 +156,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
switch (name->type)
ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5);
if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0)
if (strlen(buf) != name->d.ia5->length)
msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");

0 comments on commit cb4e35e

Please sign in to comment.
You can’t perform that action at this time.