Prevent EBCDIC overread for very long strings

ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. Issue reported by Guido Vranken. CVE-2016-2176 Reviewed-by: Andy Polyakov <appro@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-04-28 10:46:55 +0100
committer: Matt Caswell <matt@openssl.org> 2016-05-03 10:25:05 +0100
commit: 9f2ccf1d718ab66c778a623f9aed3cddf17503a2 (patch)
tree: 9757dae471e2ad31e37f7942091c8816fdb2873a
parent: 3ab937bc440371fbbe74318ce494ba95021f850a (diff)
download: openssl-new-9f2ccf1d718ab66c778a623f9aed3cddf17503a2.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index f7daac25e9..3de3ac7204 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -130,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             type == V_ASN1_PRINTABLESTRING ||
             type == V_ASN1_TELETEXSTRING ||
             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-            ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
-                         ? sizeof ebcdic_buf : num);
+            if (num > (int)sizeof(ebcdic_buf))
+                num = sizeof(ebcdic_buf);
+            ascii2ebcdic(ebcdic_buf, q, num);
             q = ebcdic_buf;
         }
 #endif
author	Matt Caswell <matt@openssl.org>	2016-04-28 10:46:55 +0100
committer	Matt Caswell <matt@openssl.org>	2016-05-03 10:25:05 +0100
commit	9f2ccf1d718ab66c778a623f9aed3cddf17503a2 (patch)
tree	9757dae471e2ad31e37f7942091c8816fdb2873a
parent	3ab937bc440371fbbe74318ce494ba95021f850a (diff)
download	openssl-new-9f2ccf1d718ab66c778a623f9aed3cddf17503a2.tar.gz