diff options
author | Emilia Kasper <emilia@openssl.org> | 2014-07-02 19:02:33 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2014-08-06 20:36:41 +0100 |
commit | 0042fb5fd1c9d257d713b15a1f45da05cf5c1c87 (patch) | |
tree | 06f19083ca305b2c39706ab501688ae1da537114 /crypto/objects | |
parent | 17160033765480453be0a41335fa6b833691c049 (diff) | |
download | openssl-0042fb5fd1c9d257d713b15a1f45da05cf5c1c87.tar.gz |
Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
CVE-2014-3508
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'crypto/objects')
-rw-r--r-- | crypto/objects/obj_dat.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index e515160d72..bf89bc7b16 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) const unsigned char *p; char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; - if ((a == NULL) || (a->data == NULL)) { - buf[0]='\0'; - return(0); - } + /* Ensure that, at every state, |buf| is NUL-terminated. */ + if (buf && buf_len > 0) + buf[0] = '\0'; + if ((a == NULL) || (a->data == NULL)) + return(0); if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) { @@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i=(int)(l/40); l-=(long)(i*40); } - if (buf && (buf_len > 0)) + if (buf && (buf_len > 1)) { *buf++ = i + '0'; + *buf = '\0'; buf_len--; } n++; @@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) i = strlen(bndec); if (buf) { - if (buf_len > 0) + if (buf_len > 1) { *buf++ = '.'; + *buf = '\0'; buf_len--; } BUF_strlcpy(buf,bndec,buf_len); @@ -807,4 +810,3 @@ err: OPENSSL_free(buf); return(ok); } - |