x509asn1: Fix SAN IP address verification

For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
author: Matthew Whitehead <matthew1001@gmail.com> 2018-10-15 16:27:28 +0100
committer: Jay Satiro <raysatiro@yahoo.com> 2018-10-16 03:52:47 -0400
commit: df54b14fb77bc7f62f31971ed8bb26ec24bf27d5 (patch)
tree: 384f152db88c172b6b5f313a15a4f27c67e81688
parent: 03186b118784e067cccef7d469564d8fbb96725f (diff)
download: curl-df54b14fb77bc7f62f31971ed8bb26ec24bf27d5.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index fc51e02f4..a0be23d61 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -1131,8 +1131,8 @@ CURLcode Curl_verifyhost(struct connectdata *conn,
           break;
 
         case 7: /* IP address. */
-          matched = (size_t) (name.end - q) == addrlen &&
-                    !memcmp(&addr, q, addrlen);
+          matched = (size_t) (name.end - name.beg) == addrlen &&
+                    !memcmp(&addr, name.beg, addrlen);
           break;
         }
       }
author	Matthew Whitehead <matthew1001@gmail.com>	2018-10-15 16:27:28 +0100
committer	Jay Satiro <raysatiro@yahoo.com>	2018-10-16 03:52:47 -0400
commit	df54b14fb77bc7f62f31971ed8bb26ec24bf27d5 (patch)
tree	384f152db88c172b6b5f313a15a4f27c67e81688
parent	03186b118784e067cccef7d469564d8fbb96725f (diff)
download	curl-df54b14fb77bc7f62f31971ed8bb26ec24bf27d5.tar.gz