Check for null characters in pkinit cert fields
authorGreg Hudson <ghudson@mit.edu>
Mon, 10 Aug 2009 19:12:47 +0000 (19:12 +0000)
committerGreg Hudson <ghudson@mit.edu>
Mon, 10 Aug 2009 19:12:47 +0000 (19:12 +0000)
When processing DNS names or MS UPNs in pkinit certs, disallow
embedded null characters.

ticket: 6542
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22516 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index c402e2ee1099531039fd70ad67538d982f4d8b00..6e1a4b87a744b57addd9e4832dbfdf4b56e69a41 100644 (file)
@@ -1761,6 +1761,9 @@ crypto_retrieve_X509_sans(krb5_context context,
                } else if (upns != NULL
                           && OBJ_cmp(plgctx->id_ms_san_upn,
                                      gen->d.otherName->type_id) == 0) {
+                   /* Prevent abuse of embedded null characters. */
+                   if (memchr(name.data, '\0', name.length))
+                       break;
                    ret = krb5_parse_name(context, name.data, &upns[u]);
                    if (ret) {
                        pkiDebug("%s: failed parsing ms-upn san value\n",
@@ -1778,6 +1781,10 @@ crypto_retrieve_X509_sans(krb5_context context,
                break;
            case GEN_DNS:
                if (dnss != NULL) {
+                   /* Prevent abuse of embedded null characters. */
+                   if (memchr(gen->d.dNSName->data, '\0',
+                              gen->d.dNSName->length))
+                       break;
                    pkiDebug("%s: found dns name = %s\n",
                             __FUNCTION__, gen->d.dNSName->data);
                    dnss[d] = (unsigned char *)