From: Timo Sirainen <tss@iki.fi>
Date: Tue, 4 Aug 2009 18:54:36 +0000 (-0400)
Subject: ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
X-Git-Tag: 2.0.alpha1~329
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cf0038be60439fde5009b36443dcef121760206a;p=thirdparty%2Fdovecot%2Fcore.git

ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.

--HG--
branch : HEAD
---

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index ea1ea21c68..f3f995cde7 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -609,8 +609,8 @@ bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy)
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 {
 	X509 *x509;
-	char buf[1024];
-	const char *name;
+	char *name;
+	int len;
 
 	if (!ssl_proxy_has_valid_client_cert(proxy))
 		return NULL;
@@ -619,11 +619,21 @@ const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 	if (x509 == NULL)
 		return NULL; /* we should have had it.. */
 
-	if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
-				      ssl_username_nid, buf, sizeof(buf)) < 0)
+	len = X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
+					ssl_username_nid, NULL, 0);
+	if (len < 0)
 		name = "";
-	else
-		name = t_strndup(buf, sizeof(buf));
+	else {
+		name = t_malloc(len + 1);
+		if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
+					ssl_username_nid, name, len + 1) < 0)
+			name = "";
+		else if (strlen(name) != (size_t)len) {
+			/* NUL characters in name. Someone's trying to fake
+			   being another user? Don't allow it. */
+			name = "";
+		}
+	}
 	X509_free(x509);
 	
 	return *name == '\0' ? NULL : name;