projects / platform / upstream / libtasn1.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad4da44)
Fix CVE-2017-10790 vulnerability 11/153911/2 accepted/tizen/unified/20171011.150545 submit/tizen/20171005.115455
authorPawel Kowalski <p.kowalski2@partner.samsung.com>
Tue, 3 Oct 2017 09:23:45 +0000 (11:23 +0200)
committerPawel Kowalski <p.kowalski2@partner.samsung.com>
Tue, 3 Oct 2017 09:40:22 +0000 (11:40 +0200)
The patch fixes CVE-2017-10790 vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10790
https://bugzilla.redhat.com/show_bug.cgi?id=1464141#c5
The _asn1_check_identifier function caused a NULL pointer dereference
and crashed when a NULL value was assigned to value member in
asn1_node. It could lead to a remote DOS attack.

(cherry-picked from upstream d8d805e1f2e6799bb2dff4871a8598dc83088a39)

Change-Id: I4136fe2df14980581cfdc6ec619742967449349c

lib/parser_aux.c patch | blob | history

diff --git a/lib/parser_aux.c b/lib/parser_aux.c
index 16379af..723d48b 100644 (file)
--- a/lib/parser_aux.c
+++ b/lib/parser_aux.c
@@ -951,7 +951,7 @@ _asn1_check_identifier (asn1_node node)
          if (p2 == NULL)
            {
              if (p->value)
-               _asn1_strcpy (_asn1_identifierMissing, p->value);
+               _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p->value);
              else
                _asn1_strcpy (_asn1_identifierMissing, "(null)");
              return ASN1_IDENTIFIER_NOT_FOUND;
@@ -964,9 +964,14 @@ _asn1_check_identifier (asn1_node node)
          if (p2 && (type_field (p2->type) == ASN1_ETYPE_DEFAULT))
            {
              _asn1_str_cpy (name2, sizeof (name2), node->name);
-             _asn1_str_cat (name2, sizeof (name2), ".");
-             _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
-             _asn1_strcpy (_asn1_identifierMissing, p2->value);
+             if (p2->value)
+               {
+                 _asn1_str_cat (name2, sizeof (name2), ".");
+                 _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
+                 _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value);
+               }
+             else
+               _asn1_strcpy (_asn1_identifierMissing, "(null)");
              p2 = asn1_find_node (node, name2);
              if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID) ||
                  !(p2->type & CONST_ASSIGN))
@@ -986,7 +991,7 @@ _asn1_check_identifier (asn1_node node)
                  _asn1_str_cpy (name2, sizeof (name2), node->name);
                  _asn1_str_cat (name2, sizeof (name2), ".");
                  _asn1_str_cat (name2, sizeof (name2), (char *) p2->value);
-                 _asn1_strcpy (_asn1_identifierMissing, p2->value);
+                 _asn1_str_cpy (_asn1_identifierMissing, sizeof(_asn1_identifierMissing), (char*)p2->value);
                  p2 = asn1_find_node (node, name2);
                  if (!p2 || (type_field (p2->type) != ASN1_ETYPE_OBJECT_ID)
                      || !(p2->type & CONST_ASSIGN))
Domain: Security / Utilities;