Fix potential overflow in CertificateRequest

2 files changed, 11 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index a7c12a0..6c735e7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,10 @@ Security
    * Fix possible heap buffer overflow in base64_encode() when the input
      buffer is 512MB or larger on 32-bit platforms.
      Found by Guido Vranken. Not trigerrable remotely in TLS.
+   * Fix potential heap buffer overflow in servers that perform client
+     authentication against a crafted CA cert. Cannot be triggered remotely
+     unless you allow third parties to pick trust CAs for client auth.
+     Found by Guido Vranken.
 
 = Version 1.2.16 released 2015-09-17
 
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index cd9802a..2f4ae69 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -923,6 +923,7 @@ static int ssl_write_certificate_request( ssl_context *ssl )
     size_t n = 0, dn_size, total_dn_size;
     unsigned char *buf, *p;
     const x509_cert *crt;
+    const unsigned char * const end = ssl->out_msg + SSL_MAX_CONTENT_LEN;
 
     SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
 
@@ -987,10 +988,14 @@ static int ssl_write_certificate_request( ssl_context *ssl )
     total_dn_size = 0;
     while( crt != NULL && crt->version != 0)
     {
-        if( p - buf > 4096 )
+        dn_size = crt->subject_raw.len;
+
+        if( end < p || (size_t)( end - p ) < 2 + dn_size )
+        {
+            SSL_DEBUG_MSG( 1, ( "skipping CAs: buffer too short" ) );
             break;
+        }
 
-        dn_size = crt->subject_raw.len;
         *p++ = (unsigned char)( dn_size >> 8 );
         *p++ = (unsigned char)( dn_size      );
         memcpy( p, crt->subject_raw.p, dn_size );