maria-developers team mailing list archive

[noreply@xxxxxxxxxxxxx]

------------------------------------------------------------
revno: 2803
committer: Sergei Golubchik <sergii@xxxxxxxxx>
branch nick: maria-5.1
timestamp: Wed 2010-01-27 11:38:29 +0100
message:
  YaSSL cert info buffer overflow fix
  Apply a diff from
    [Yassl-commit] yassl/taocrypt/src asn.cpp,1.13,1.14
    [Yassl-commit] yassl/taocrypt/include asn.hpp,1.9,1.10
  Original patch
    http://lists.mysql.com/commits/96697
modified:
  extra/yassl/taocrypt/include/asn.hpp
  extra/yassl/taocrypt/src/asn.cpp


--
lp:maria
https://code.launchpad.net/~maria-captains/maria/5.1

Your team Maria developers is subscribed to branch lp:maria.
To unsubscribe from this branch go to https://code.launchpad.net/~maria-captains/maria/5.1/+edit-subscription.

=== modified file 'extra/yassl/taocrypt/include/asn.hpp'
--- extra/yassl/taocrypt/include/asn.hpp	2007-01-29 15:54:40 +0000
+++ extra/yassl/taocrypt/include/asn.hpp	2010-01-27 10:38:29 +0000
@@ -305,6 +305,7 @@
     bool   ValidateSignature(SignerList*);
     bool   ConfirmSignature(Source&);
     void   GetKey();
+    char*  AddTag(char*, const char*, const char*, word32, word32);
     void   GetName(NameType);
     void   GetValidity();
     void   GetDate(DateType);

=== modified file 'extra/yassl/taocrypt/src/asn.cpp'
--- extra/yassl/taocrypt/src/asn.cpp	2009-09-15 11:22:39 +0000
+++ extra/yassl/taocrypt/src/asn.cpp	2010-01-27 10:38:29 +0000
@@ -652,6 +652,25 @@
 }
 
 
+// memory length checked add tag to buffer
+char* CertDecoder::AddTag(char* ptr, const char* buf_end, const char* tag_name,
+                          word32 tag_name_length, word32 tag_value_length)
+{
+    if (ptr + tag_name_length + tag_value_length > buf_end) {
+        source_.SetError(CONTENT_E);
+        return 0;
+    }
+
+    memcpy(ptr, tag_name, tag_name_length);
+    ptr += tag_name_length;
+
+    memcpy(ptr, source_.get_current(), tag_value_length);
+    ptr += tag_value_length;
+
+    return ptr;
+}
+
+
 // process NAME, either issuer or subject
 void CertDecoder::GetName(NameType nt)
 {
@@ -659,11 +678,22 @@
 
     SHA    sha;
     word32 length = GetSequence();  // length of all distinguished names
-    assert (length < ASN_NAME_MAX);
+
+    if (length >= ASN_NAME_MAX)
+        return;
     length += source_.get_index();
 
-    char*  ptr = (nt == ISSUER) ? issuer_ : subject_;
-    word32 idx = 0;
+    char* ptr;
+    char* buf_end;
+
+    if (nt == ISSUER) {
+        ptr = issuer_;
+        buf_end = ptr + sizeof(issuer_) - 1;   // 1 byte for trailing 0
+    }
+    else {
+        ptr = subject_;
+        buf_end = ptr + sizeof(subject_) - 1;  // 1 byte for trailing 0
+    }
 
     while (source_.get_index() < length) {
         GetSet();
@@ -685,47 +715,36 @@
             byte   id      = source_.next();  
             b              = source_.next();    // strType
             word32 strLen  = GetLength(source_);
-            bool   copy    = false;
-
-            if (id == COMMON_NAME) {
-                memcpy(&ptr[idx], "/CN=", 4);
-                idx += 4;
-                copy = true;
-            }
-            else if (id == SUR_NAME) {
-                memcpy(&ptr[idx], "/SN=", 4);
-                idx += 4;
-                copy = true;
-            }
-            else if (id == COUNTRY_NAME) {
-                memcpy(&ptr[idx], "/C=", 3);
-                idx += 3;
-                copy = true;
-            }
-            else if (id == LOCALITY_NAME) {
-                memcpy(&ptr[idx], "/L=", 3);
-                idx += 3;
-                copy = true;
-            }
-            else if (id == STATE_NAME) {
-                memcpy(&ptr[idx], "/ST=", 4);
-                idx += 4;
-                copy = true;
-            }
-            else if (id == ORG_NAME) {
-                memcpy(&ptr[idx], "/O=", 3);
-                idx += 3;
-                copy = true;
-            }
-            else if (id == ORGUNIT_NAME) {
-                memcpy(&ptr[idx], "/OU=", 4);
-                idx += 4;
-                copy = true;
-            }
-
-            if (copy) {
-                memcpy(&ptr[idx], source_.get_current(), strLen);
-                idx += strLen;
+
+            switch (id) {
+            case COMMON_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/CN=", 4, strLen)))
+                    return;
+                break;
+            case SUR_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/SN=", 4, strLen)))
+                    return;
+                break;
+            case COUNTRY_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/C=", 3, strLen)))
+                    return;
+                break;
+            case LOCALITY_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/L=", 3, strLen)))
+                    return;
+                break;
+            case STATE_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/ST=", 4, strLen)))
+                    return;
+                break;
+            case ORG_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/O=", 3, strLen)))
+                    return;
+                break;
+            case ORGUNIT_NAME:
+                if (!(ptr = AddTag(ptr, buf_end, "/OU=", 4, strLen)))
+                    return;
+                break;
             }
 
             sha.Update(source_.get_current(), strLen);
@@ -740,17 +759,15 @@
             word32 length = GetLength(source_);
 
             if (email) {
-                memcpy(&ptr[idx], "/emailAddress=", 14);
-                idx += 14;
-
-                memcpy(&ptr[idx], source_.get_current(), length);
-                idx += length;
+                if (!(ptr = AddTag(ptr, buf_end, "/emailAddress=", 14, length)))
+                    return; 
             }
 
             source_.advance(length);
         }
     }
-    ptr[idx++] = 0;
+
+    *ptr = 0;
 
     if (nt == ISSUER)
         sha.Final(issuerHash_);