From: Greg Hudson Date: Mon, 10 Aug 2009 19:12:47 +0000 (+0000) Subject: Check for null characters in pkinit cert fields X-Git-Tag: krb5-1.8-alpha1~393 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=903d94c7056e01baf37cf0db6ec0ef36c5d9b753;p=krb5.git Check for null characters in pkinit cert fields When processing DNS names or MS UPNs in pkinit certs, disallow embedded null characters. ticket: 6542 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22516 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index c402e2ee1..6e1a4b87a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1761,6 +1761,9 @@ crypto_retrieve_X509_sans(krb5_context context, } else if (upns != NULL && OBJ_cmp(plgctx->id_ms_san_upn, gen->d.otherName->type_id) == 0) { + /* Prevent abuse of embedded null characters. */ + if (memchr(name.data, '\0', name.length)) + break; ret = krb5_parse_name(context, name.data, &upns[u]); if (ret) { pkiDebug("%s: failed parsing ms-upn san value\n", @@ -1778,6 +1781,10 @@ crypto_retrieve_X509_sans(krb5_context context, break; case GEN_DNS: if (dnss != NULL) { + /* Prevent abuse of embedded null characters. */ + if (memchr(gen->d.dNSName->data, '\0', + gen->d.dNSName->length)) + break; pkiDebug("%s: found dns name = %s\n", __FUNCTION__, gen->d.dNSName->data); dnss[d] = (unsigned char *)