Fix name length limit check.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 4 May 2016 15:09:06 +0000 (16:09 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 4 May 2016 16:39:37 +0000 (17:39 +0100)
The name length limit check in x509_name_ex_d2i() includes
the containing structure as well as the actual X509_NAME. This will
cause large CRLs to be rejected.

Fix by limiting the length passed to ASN1_item_ex_d2i() which will
then return an error if the passed X509_NAME exceeds the length.

RT#4531

Reviewed-by: Rich Salz <rsalz@openssl.org>
crypto/x509/x_name.c

index 72682fed70d4337b7aacd6a8a02e22c97493eef8..662de64ef0e7b65c2813ed30412933432950f081 100644 (file)
@@ -194,10 +194,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
     int i, j, ret;
     STACK_OF(X509_NAME_ENTRY) *entries;
     X509_NAME_ENTRY *entry;
-    if (len > X509_NAME_MAX) {
-        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
-        return 0;
-    }
+    if (len > X509_NAME_MAX)
+        len = X509_NAME_MAX;
     q = p;
 
     /* Get internal representation of Name */