ASN.1 strings may not be NUL terminated. Don't assume they are.
CVE-2021-3712
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
return 0;
return
- ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data);
+ ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data,
+ text->length);
}
int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,
int only_self_issued);
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
- const char *text);
+ const char *text, int len);
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
goto err;
msg->body->value.error->errorDetails = ft;
if (lib != NULL && *lib != '\0'
- && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib))
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
goto err;
if (reason != NULL && *reason != '\0'
- && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason))
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
goto err;
if (details != NULL
- && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
+ && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
goto err;
}
ADVANCE_BUFFER;
for (i = 0; i < n_status_strings; i++) {
text = sk_ASN1_UTF8STRING_value(status_strings, i);
- printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s",
+ printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
+ ASN1_STRING_length(text),
ASN1_STRING_get0_data(text),
i < n_status_strings - 1 ? ", " : "");
ADVANCE_BUFFER;
}
int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
- const char *text)
+ const char *text, int len)
{
ASN1_UTF8STRING *utf8string;
return 0;
if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
return 0;
- if (!ASN1_STRING_set(utf8string, text, -1))
+ if (!ASN1_STRING_set(utf8string, text, len))
goto err;
if (!sk_ASN1_UTF8STRING_push(sk, utf8string))
goto err;