diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-08-02 21:38:37 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-08-04 17:37:59 +0100 |
commit | f96b3ff25e7e49734fb784da52563413ae5a4bbc (patch) | |
tree | d1961963aa98c913f05018f8064f0bd3b3a3bedd | |
parent | 1228ae7738e1ad2189a04ab4ca2dc5a317d1a29c (diff) | |
download | openssl-f96b3ff25e7e49734fb784da52563413ae5a4bbc.tar.gz |
Limit status message sisze in ts_get_status_check
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20fc103f782bb0bcd41d211c6423187b02146b9d)
Conflicts:
include/openssl/ts.h
-rw-r--r-- | crypto/ts/ts.h | 3 | ||||
-rw-r--r-- | crypto/ts/ts_rsp_verify.c | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/crypto/ts/ts.h b/crypto/ts/ts.h index 16eccbb38d..2daa1b2fb5 100644 --- a/crypto/ts/ts.h +++ b/crypto/ts/ts.h @@ -565,6 +565,9 @@ int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, /* At most we accept usec precision. */ # define TS_MAX_CLOCK_PRECISION_DIGITS 6 +/* Maximum status message length */ +# define TS_MAX_STATUS_LENGTH (1024 * 1024) + /* No flags are set by default. */ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags); diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 97d9c81db6..7918236287 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -555,13 +555,15 @@ static int TS_check_status_info(TS_RESP *response) static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) { int i; - unsigned int length = 0; + int length = 0; char *result = NULL; char *p; /* Determine length first. */ for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) { ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); + if (ASN1_STRING_length(current) > TS_MAX_STATUS_LENGTH - length - 1) + return NULL; length += ASN1_STRING_length(current); length += 1; /* separator character */ } |