summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPawel Kowalski <p.kowalski2@partner.samsung.com>2017-10-03 11:23:45 +0200
committerPawel Kowalski <p.kowalski2@partner.samsung.com>2017-10-03 11:40:22 +0200
commit52e10d8471cd9e6572d85b4bf15e599bc60b3ce5 (patch)
tree93ea034905128ff8c5ee34104b2309ce511a274f
parentad4da44b187d499978846cf66ffdfe081568e796 (diff)
downloadlibtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.tar.gz
libtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.tar.bz2
libtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.zip
The patch fixes CVE-2017-10790 vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790 https://bugzilla.redhat.com/show_bug.cgi?id=1464141#c5 The _asn1_check_identifier function caused a NULL pointer dereference and crashed when a NULL value was assigned to value member in asn1_node. It could lead to a remote DOS attack. (cherry-picked from upstream d8d805e1f2e6799bb2dff4871a8598dc83088a39) Change-Id: I4136fe2df14980581cfdc6ec619742967449349c
-rw-r--r--lib/parser_aux.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/parser_aux.c b/lib/parser_aux.c
index 16379af..723d48b 100644
--- a/lib/parser_aux.c
+++ b/lib/parser_aux.c
@@ -951,7 +951,7 @@ _asn1_check_identifier (asn1_node node)
if (p2 == NULL)
{
if (p->value)
- _asn1_strcpy (_asn1_identifierMissing, p->value);
+ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p->value);
else
_asn1_strcpy (_asn1_identifierMissing, "(null)");
return ASN1_IDENTIFIER_NOT_FOUND;
@@ -964,9 +964,14 @@ _asn1_check_identifier (asn1_node node)
if (p2 && (type_field (p2->type) == ASN1_ETYPE_DEFAULT))
{
_asn1_str_cpy (name2, sizeof (name2), node->name);
- _asn1_str_cat (name2, sizeof (name2), ".");
- _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
- _asn1_strcpy (_asn1_identifierMissing, p2->value);
+ if (p2->value)
+ {
+ _asn1_str_cat (name2, sizeof (name2), ".");
+ _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
+ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value);
+ }
+ else
+ _asn1_strcpy (_asn1_identifierMissing, "(null)");
p2 = asn1_find_node (node, name2);
if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) ||
!(p2->type & CONST_ASSIGN))
@@ -986,7 +991,7 @@ _asn1_check_identifier (asn1_node node)
_asn1_str_cpy (name2, sizeof (name2), node->name);
_asn1_str_cat (name2, sizeof (name2), ".");
_asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
- _asn1_strcpy (_asn1_identifierMissing, p2->value);
+ _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value);
p2 = asn1_find_node (node, name2);
if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID)
|| !(p2->type & CONST_ASSIGN))