diff options
| author | Pawel Kowalski <p.kowalski2@partner.samsung.com> | 2017-10-03 11:23:45 +0200 |
|---|---|---|
| committer | Pawel Kowalski <p.kowalski2@partner.samsung.com> | 2017-10-03 11:40:22 +0200 |
| commit | 52e10d8471cd9e6572d85b4bf15e599bc60b3ce5 (patch) | |
| tree | 93ea034905128ff8c5ee34104b2309ce511a274f | |
| parent | ad4da44b187d499978846cf66ffdfe081568e796 (diff) | |
| download | libtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.tar.gz libtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.tar.bz2 libtasn1-52e10d8471cd9e6572d85b4bf15e599bc60b3ce5.zip | |
Fix CVE-2017-10790 vulnerabilitysubmit/tizen/20171005.115455accepted/tizen/unified/20171011.150545
The patch fixes CVE-2017-10790 vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
https://bugzilla.redhat.com/show_bug.cgi?id=1464141#c5
The _asn1_check_identifier function caused a NULL pointer dereference
and crashed when a NULL value was assigned to value member in
asn1_node. It could lead to a remote DOS attack.
(cherry-picked from upstream d8d805e1f2e6799bb2dff4871a8598dc83088a39)
Change-Id: I4136fe2df14980581cfdc6ec619742967449349c
| -rw-r--r-- | lib/parser_aux.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/lib/parser_aux.c b/lib/parser_aux.c index 16379af..723d48b 100644 --- a/lib/parser_aux.c +++ b/lib/parser_aux.c @@ -951,7 +951,7 @@ _asn1_check_identifier (asn1_node node) if (p2 == NULL) { if (p->value) - _asn1_strcpy (_asn1_identifierMissing, p->value); + _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p->value); else _asn1_strcpy (_asn1_identifierMissing, "(null)"); return ASN1_IDENTIFIER_NOT_FOUND; @@ -964,9 +964,14 @@ _asn1_check_identifier (asn1_node node) if (p2 && (type_field (p2->type) == ASN1_ETYPE_DEFAULT)) { _asn1_str_cpy (name2, sizeof (name2), node->name); - _asn1_str_cat (name2, sizeof (name2), "."); - _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); - _asn1_strcpy (_asn1_identifierMissing, p2->value); + if (p2->value) + { + _asn1_str_cat (name2, sizeof (name2), "."); + _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); + _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); + } + else + _asn1_strcpy (_asn1_identifierMissing, "(null)"); p2 = asn1_find_node (node, name2); if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) || !(p2->type & CONST_ASSIGN)) @@ -986,7 +991,7 @@ _asn1_check_identifier (asn1_node node) _asn1_str_cpy (name2, sizeof (name2), node->name); _asn1_str_cat (name2, sizeof (name2), "."); _asn1_str_cat (name2, sizeof (name2), (char *) p2->value); - _asn1_strcpy (_asn1_identifierMissing, p2->value); + _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value); p2 = asn1_find_node (node, name2); if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) || !(p2->type & CONST_ASSIGN)) |