From: Matt Caswell Date: Wed, 18 Aug 2021 16:37:23 +0000 (+0100) Subject: Fix CMP code to not assume NUL terminated strings X-Git-Tag: openssl-3.0.0~89 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=95f8c1e142df835d03b5b62521383a462fc5470d;p=thirdparty%2Fopenssl.git Fix CMP code to not assume NUL terminated strings ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni Reviewed-by: Paul Dale Reviewed-by: David Benjamin --- diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index 86be2546d5a..8c553af61a5 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -181,7 +181,8 @@ int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text) return 0; return - ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data); + ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data, + text->length); } int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr, diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index f2a0587ca49..3da021043b8 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -744,7 +744,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, int only_self_issued); STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, - const char *text); + const char *text, int len); int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, const ASN1_OCTET_STRING *src); int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 5fb67ae2cb4..10ef4cd922e 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -758,13 +758,13 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, goto err; msg->body->value.error->errorDetails = ft; if (lib != NULL && *lib != '\0' - && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib)) + && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1)) goto err; if (reason != NULL && *reason != '\0' - && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason)) + && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1)) goto err; if (details != NULL - && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details)) + && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1)) goto err; } diff --git a/crypto/cmp/cmp_status.c b/crypto/cmp/cmp_status.c index dc14f754de2..f1e7b4bc023 100644 --- a/crypto/cmp/cmp_status.c +++ b/crypto/cmp/cmp_status.c @@ -220,7 +220,8 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info, ADVANCE_BUFFER; for (i = 0; i < n_status_strings; i++) { text = sk_ASN1_UTF8STRING_value(status_strings, i); - printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s", + printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s", + ASN1_STRING_length(text), ASN1_STRING_get0_data(text), i < n_status_strings - 1 ? ", " : ""); ADVANCE_BUFFER; diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index fbb8d1e2492..ed611d64dd0 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -221,7 +221,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, } int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, - const char *text) + const char *text, int len) { ASN1_UTF8STRING *utf8string; @@ -229,7 +229,7 @@ int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk, return 0; if ((utf8string = ASN1_UTF8STRING_new()) == NULL) return 0; - if (!ASN1_STRING_set(utf8string, text, -1)) + if (!ASN1_STRING_set(utf8string, text, len)) goto err; if (!sk_ASN1_UTF8STRING_push(sk, utf8string)) goto err;