diff options
author | Andy Polyakov <appro@openssl.org> | 2018-08-05 11:51:37 +0200 |
---|---|---|
committer | Andy Polyakov <appro@openssl.org> | 2018-08-07 08:56:17 +0200 |
commit | 28ad73181aeb3b0b027d53d3266159f4b2e15d5b (patch) | |
tree | f68342297aa398ae53af26457fe4b60c99dc4e70 /crypto/x509 | |
parent | f44d7e8b472dfc0602f8d06ef72e808a5e8d410c (diff) |
x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
Diffstat (limited to 'crypto/x509')
-rw-r--r-- | crypto/x509/x509name.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 46668244e2..64a73e793f 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -26,8 +26,8 @@ int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) return X509_NAME_get_text_by_OBJ(name, obj, buf, len); } -int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, - int len) +int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, + char *buf, int len) { int i; const ASN1_STRING *data; @@ -36,9 +36,11 @@ int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf if (i < 0) return -1; data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i)); - i = (data->length > (len - 1)) ? (len - 1) : data->length; if (buf == NULL) return data->length; + if (len <= 0) + return 0; + i = (data->length > (len - 1)) ? (len - 1) : data->length; memcpy(buf, data->data, i); buf[i] = '\0'; return i; |