Ensure that we check the ASN.1 type of an "otherName" before using it

We should not assume that the type of an ASN.1 value is UTF8String as
expected. We must actually check it, otherwise we could get a NULL ptr
deref, or worse memory errors.

Reported by David Benjamin.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16443)

diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
index 5c63d2d9d842bee4d6c0fdcb34019d87b283318d..a70917a39bde0370b701f40080ae846c9b610f16 100644 (file)
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@@ -901,12 +901,19 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
                 if (OBJ_obj2nid(gen->d.otherName->type_id) ==
                     NID_id_on_SmtpUTF8Mailbox) {
                     san_present = 1;
-                    cstr = gen->d.otherName->value->value.utf8string;
 
-                    /* Positive on success, negative on error! */
-                    if ((rv = do_check_string(cstr, 0, equal, flags,
-                                              chk, chklen, peername)) != 0)
-                        break;
+                    /*
+                     * If it is not a UTF8String then that is unexpected and we
+                     * treat it as no match
+                     */
+                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+                        cstr = gen->d.otherName->value->value.utf8string;
+
+                        /* Positive on success, negative on error! */
+                        if ((rv = do_check_string(cstr, 0, equal, flags,
+                                                chk, chklen, peername)) != 0)
+                            break;
+                    }
                 } else
                     continue;
             } else {