From 279b6ee97ad5420f2fc8b8592aa3c09da5dc7772 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 29 Sep 2009 01:38:48 +0000 Subject: [PATCH] pull up r22516 from trunk ------------------------------------------------------------------------ r22516 | ghudson | 2009-08-10 15:12:47 -0400 (Mon, 10 Aug 2009) | 8 lines ticket: 6542 subject: Check for null characters in pkinit cert fields tags: pullup target_version: 1.7 When processing DNS names or MS UPNs in pkinit certs, disallow embedded null characters. ticket: 6542 version_fixed: 1.7.1 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22811 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index c402e2ee1..6e1a4b87a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1761,6 +1761,9 @@ crypto_retrieve_X509_sans(krb5_context context, } else if (upns != NULL && OBJ_cmp(plgctx->id_ms_san_upn, gen->d.otherName->type_id) == 0) { + /* Prevent abuse of embedded null characters. */ + if (memchr(name.data, '\0', name.length)) + break; ret = krb5_parse_name(context, name.data, &upns[u]); if (ret) { pkiDebug("%s: failed parsing ms-upn san value\n", @@ -1778,6 +1781,10 @@ crypto_retrieve_X509_sans(krb5_context context, break; case GEN_DNS: if (dnss != NULL) { + /* Prevent abuse of embedded null characters. */ + if (memchr(gen->d.dNSName->data, '\0', + gen->d.dNSName->length)) + break; pkiDebug("%s: found dns name = %s\n", __FUNCTION__, gen->d.dNSName->data); dnss[d] = (unsigned char *) -- 2.26.2