From c7f8edfc1186a48463c14cfdc7f70456cbcb1cda Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 26 Aug 2021 09:43:50 +0100 Subject: [PATCH] Ensure that we check the ASN.1 type of an "otherName" before using it We should not assume that the type of an ASN.1 value is UTF8String as expected. We must actually check it, otherwise we could get a NULL ptr deref, or worse memory errors. Reported by David Benjamin. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16443) --- crypto/x509/v3_utl.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c index 5c63d2d9d84..a70917a39bd 100644 --- a/crypto/x509/v3_utl.c +++ b/crypto/x509/v3_utl.c @@ -901,12 +901,19 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, if (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox) { san_present = 1; - cstr = gen->d.otherName->value->value.utf8string; - /* Positive on success, negative on error! */ - if ((rv = do_check_string(cstr, 0, equal, flags, - chk, chklen, peername)) != 0) - break; + /* + * If it is not a UTF8String then that is unexpected and we + * treat it as no match + */ + if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { + cstr = gen->d.otherName->value->value.utf8string; + + /* Positive on success, negative on error! */ + if ((rv = do_check_string(cstr, 0, equal, flags, + chk, chklen, peername)) != 0) + break; + } } else continue; } else { -- 2.47.2