diff options
author | Matt Caswell <matt@openssl.org> | 2016-04-28 10:46:55 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-05-03 10:25:05 +0100 |
commit | 9f2ccf1d718ab66c778a623f9aed3cddf17503a2 (patch) | |
tree | 9757dae471e2ad31e37f7942091c8816fdb2873a | |
parent | 3ab937bc440371fbbe74318ce494ba95021f850a (diff) | |
download | openssl-new-9f2ccf1d718ab66c778a623f9aed3cddf17503a2.tar.gz |
Prevent EBCDIC overread for very long strings
ASN1 Strings that are over 1024 bytes can cause an overread in
applications using the X509_NAME_oneline() function on EBCDIC systems.
This could result in arbitrary stack data being returned in the buffer.
Issue reported by Guido Vranken.
CVE-2016-2176
Reviewed-by: Andy Polyakov <appro@openssl.org>
-rw-r--r-- | crypto/x509/x509_obj.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index f7daac25e9..3de3ac7204 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -130,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif |