calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c314fd5246'
${ noResults }
gentoo-overlay/net-vpn/openconnect/files/8.09-gnutls-buffer-overflow...

63 lines
2.1 KiB
Raw Blame History

From eef4c1f9d24478aa1d2dd9ac7ec32efb2137f474 Mon Sep 17 00:00:00 2001
From: Sergei Trofimovich <slyfox@gentoo.org>
Date: Fri, 8 May 2020 10:39:41 -0400
Subject: [PATCH] gnutls: prevent buffer overflow in get_cert_name
The test suite for ocserv calls openconnect with a certificate that has
a name that is 84 bytes in length. The buffer passed to get_cert_name is
currently 80 bytes.
The gnutls_x509_crt_get_dn_by_oid function will update the buffer size
parameter if the buffer is too small.
http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html
RETURNS
GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long
enough, and in that case the buf_size will be updated with the
required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no
data in the current index. On success 0 is returned.
Use a temporary variable to avoid clobbering the namelen variable that is
passed to get_cert_name.
Bug: https://bugs.gentoo.org/721570
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
---
gnutls.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/gnutls.c b/gnutls.c
index 36bc82e0..53bf2a43 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -546,12 +546,19 @@ static int count_x509_certificates(gnutls_datum_t *datum)
static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)
{
+ /* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will
+ * update the length argument to the required size, and return
+ * GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original
+ * length variable. */
+ size_t nl = namelen;
if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
- 0, 0, name, &namelen) &&
- gnutls_x509_crt_get_dn(cert, name, &namelen)) {
- name[namelen-1] = 0;
- snprintf(name, namelen-1, "<unknown>");
- return -EINVAL;
+ 0, 0, name, &nl)) {
+ nl = namelen;
+ if (gnutls_x509_crt_get_dn(cert, name, &nl)) {
+ name[namelen-1] = 0;
+ snprintf(name, namelen-1, "<unknown>");
+ return -EINVAL;
+ }
}
return 0;
}
--
2.26.2
Reference in new issue View Git Blame Copy Permalink