| 0 | |
From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
|
| 1 | |
From: "Dr. Stephen Henson" <steve@openssl.org>
|
| 2 | |
Date: Wed, 4 May 2016 16:09:06 +0100
|
| 3 | |
Subject: [PATCH] Fix name length limit check.
|
| 4 | |
|
| 5 | |
The name length limit check in x509_name_ex_d2i() includes
|
| 6 | |
the containing structure as well as the actual X509_NAME. This will
|
| 7 | |
cause large CRLs to be rejected.
|
| 8 | |
|
| 9 | |
Fix by limiting the length passed to ASN1_item_ex_d2i() which will
|
| 10 | |
then return an error if the passed X509_NAME exceeds the length.
|
| 11 | |
|
| 12 | |
RT#4531
|
| 13 | |
|
| 14 | |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
| 15 | |
(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
|
| 16 | |
---
|
| 17 | |
crypto/asn1/x_name.c | 6 ++----
|
| 18 | |
1 file changed, 2 insertions(+), 4 deletions(-)
|
| 19 | |
|
| 20 | |
diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
|
| 21 | |
index a858c29..26378fd 100644
|
| 22 | |
--- a/crypto/asn1/x_name.c
|
| 23 | |
+++ b/crypto/asn1/x_name.c
|
| 24 | |
@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
|
| 25 | |
int i, j, ret;
|
| 26 | |
STACK_OF(X509_NAME_ENTRY) *entries;
|
| 27 | |
X509_NAME_ENTRY *entry;
|
| 28 | |
- if (len > X509_NAME_MAX) {
|
| 29 | |
- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
|
| 30 | |
- return 0;
|
| 31 | |
- }
|
| 32 | |
+ if (len > X509_NAME_MAX)
|
| 33 | |
+ len = X509_NAME_MAX;
|
| 34 | |
q = p;
|
| 35 | |
|
| 36 | |
/* Get internal representation of Name */
|
| 37 | |
--
|
| 38 | |
2.8.1
|
| 39 | |
|