diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-05-04 16:09:06 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-05-04 17:39:37 +0100 |
commit | 4e0d184ac1dde845ba9574872e2ae5c903c81dff (patch) | |
tree | d140e2448750d674e2f3fb25a4297a9b571da66b | |
parent | c73aa309049c4f04ec81f0f1cf552eab8456a16e (diff) | |
download | openssl-4e0d184ac1dde845ba9574872e2ae5c903c81dff.zip openssl-4e0d184ac1dde845ba9574872e2ae5c903c81dff.tar.gz openssl-4e0d184ac1dde845ba9574872e2ae5c903c81dff.tar.bz2 |
Fix name length limit check.
The name length limit check in x509_name_ex_d2i() includes
the containing structure as well as the actual X509_NAME. This will
cause large CRLs to be rejected.
Fix by limiting the length passed to ASN1_item_ex_d2i() which will
then return an error if the passed X509_NAME exceeds the length.
RT#4531
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | crypto/x509/x_name.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index 72682fe..662de64 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -194,10 +194,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, int i, j, ret; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; - if (len > X509_NAME_MAX) { - ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); - return 0; - } + if (len > X509_NAME_MAX) + len = X509_NAME_MAX; q = p; /* Get internal representation of Name */ |