Skip to content

Commit

Permalink
Fix append_ia5 function to not assume NUL terminated strings
Browse files Browse the repository at this point in the history
ASN.1 strings may not be NUL terminated. Don't assume they are.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
  • Loading branch information
mattcaswell committed Aug 24, 2021
1 parent 4de6692 commit bb4d2ed
Showing 1 changed file with 13 additions and 5 deletions.
18 changes: 13 additions & 5 deletions crypto/x509v3/v3_utl.c
Original file line number Diff line number Diff line change
Expand Up @@ -528,18 +528,26 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
if (!email->data || !email->length)
if (email->data == NULL || email->length == 0)
return 1;
if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (*sk == NULL)
return 0;

emtmp = OPENSSL_strndup((char *)email->data, email->length);
if (emtmp == NULL)
return 0;

/* Don't add duplicates */
if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
OPENSSL_free(emtmp);
return 1;
emtmp = OPENSSL_strdup((char *)email->data);
if (emtmp == NULL || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
OPENSSL_free(emtmp); /* free on push failure */
}
if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
Expand Down

0 comments on commit bb4d2ed

Please sign in to comment.