From 903d94c7056e01baf37cf0db6ec0ef36c5d9b753 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Mon, 10 Aug 2009 19:12:47 +0000 Subject: [PATCH] Check for null characters in pkinit cert fields When processing DNS names or MS UPNs in pkinit certs, disallow embedded null characters. ticket: 6542 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22516 dc483132-0cff-0310-8789-dd5450dbe970 --- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index c402e2ee1..6e1a4b87a 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -1761,6 +1761,9 @@ crypto_retrieve_X509_sans(krb5_context context, } else if (upns != NULL && OBJ_cmp(plgctx->id_ms_san_upn, gen->d.otherName->type_id) == 0) { + /* Prevent abuse of embedded null characters. */ + if (memchr(name.data, '\0', name.length)) + break; ret = krb5_parse_name(context, name.data, &upns[u]); if (ret) { pkiDebug("%s: failed parsing ms-upn san value\n", @@ -1778,6 +1781,10 @@ crypto_retrieve_X509_sans(krb5_context context, break; case GEN_DNS: if (dnss != NULL) { + /* Prevent abuse of embedded null characters. */ + if (memchr(gen->d.dNSName->data, '\0', + gen->d.dNSName->length)) + break; pkiDebug("%s: found dns name = %s\n", __FUNCTION__, gen->d.dNSName->data); dnss[d] = (unsigned char *) -- 2.26.2