Fix in asn1_get_printable string

Buffer overflow vulnerability in proc.c Possible double memory release on invalid certificates. git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@221 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-07-30 16:24:09 +03:00 · 2012-02-10 10:31:02 +00:00
parent 1378f8a78f
commit ffa4da45ee
5 changed files with 29 additions and 17 deletions
--- a/ssl/asn1.c
+++ b/ssl/asn1.c
@ -288,19 +288,20 @@ end_oid:
 static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
 {
    int len = X509_NOT_OK;
+    int asn1_type = buf[*offset];

    /* some certs have this awful crud in them for some reason */
-    if (buf[*offset] != ASN1_PRINTABLE_STR &&  
-            buf[*offset] != ASN1_PRINTABLE_STR2 &&  
-            buf[*offset] != ASN1_TELETEX_STR &&  
-            buf[*offset] != ASN1_IA5_STR &&  
-            buf[*offset] != ASN1_UNICODE_STR)
+    if (buf[asn1_type] != ASN1_PRINTABLE_STR &&  
+            buf[asn1_type] != ASN1_PRINTABLE_STR2 &&  
+            buf[asn1_type] != ASN1_TELETEX_STR &&  
+            buf[asn1_type] != ASN1_IA5_STR &&  
+            buf[asn1_type] != ASN1_UNICODE_STR)
        goto end_pnt_str;

        (*offset)++;
        len = get_asn1_length(buf, offset);

-        if (buf[*offset - 1] == ASN1_UNICODE_STR)
+        if (buf[asn1_type - 1] == ASN1_UNICODE_STR)
        {
            int i;
            *str = (char *)malloc(len/2+1);     /* allow for null */
@ -330,7 +331,7 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
 {
    int ret = X509_NOT_OK;
    int dn_type;
-    char *tmp = NULL;
+    char *tmp;

    if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
        goto end_name;
@ -343,6 +344,8 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
               (dn_type = asn1_get_oid_x520(cert, offset)) < 0)
            goto end_name;

+        tmp = NULL;
+
        if (asn1_get_printable_str(cert, offset, &tmp) < 0)
        {
            free(tmp);
--- a/ssl/loader.c
+++ b/ssl/loader.c
@ -259,6 +259,7 @@ static int pem_decrypt(const char *where, const char *end,

    /* turn base64 into binary */
    pem_size = (int)(end-start);
+    ssl_obj->len = sizeof(ssl_obj->buf);
    if (base64_decode(start, pem_size, ssl_obj->buf, &ssl_obj->len) != 0)
        goto error;

@ -326,11 +327,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
                        goto error;
                    }
                }
-                else if (base64_decode(start, pem_size, 
-                            ssl_obj->buf, &ssl_obj->len) != 0)
+                else 
                {
-                    ret = SSL_ERROR_BAD_CERTIFICATE;
-                    goto error;
+                    ssl_obj->len = pem_size;
+                    if (base64_decode(start, pem_size, 
+                                ssl_obj->buf, &ssl_obj->len) != 0)
+                    {
+                        ret = SSL_ERROR_BAD_CERTIFICATE;
+                        goto error;
+                    }
                }

                switch (i)