From 29edebe95c2a51470c78c7e769c926719965eeb1 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <openssl-users@dukhovni.org>
Date: Sun, 22 Jun 2014 20:18:53 -0400
Subject: More complete input validation of X509_check_mumble

---
 crypto/x509v3/v3_utl.c | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

(limited to 'crypto/x509v3/v3_utl.c')

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 5401d90e10..ea260f3c95 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -972,22 +972,46 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
 int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
+	if (chk == NULL)
+		return -2;
+	/*
+	 * Embedded NULs are disallowed, except as the last character of a
+	 * string of length 2 or more (tolerate caller including terminating
+	 * NUL in string length).
+	 */
 	if (chklen == 0)
-		chklen = chk ? strlen((char *)chk) : 0;
-	else if (chk && memchr(chk, '\0', chklen))
-		return 0;
+		chklen = strlen((char *)chk);
+	else if (memchr(chk, '\0', chklen > 1 ? chklen-1 : chklen))
+		return -2;
+	if (chklen > 1 && chk[chklen-1] == '\0')
+		--chklen;
 	return do_x509_check(x, chk, chklen, flags, GEN_DNS);
 	}
 
 int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
+	if (chk == NULL)
+		return -2;
+	/*
+	 * Embedded NULs are disallowed, except as the last character of a
+	 * string of length 2 or more (tolerate caller including terminating
+	 * NUL in string length).
+	 */
+	if (chklen == 0)
+		chklen = strlen((char *)chk);
+	else if (memchr(chk, '\0', chklen > 1 ? chklen-1 : chklen))
+		return -2;
+	if (chklen > 1 && chk[chklen-1] == '\0')
+		--chklen;
 	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL);
 	}
 
 int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
 					unsigned int flags)
 	{
+	if (chk == NULL)
+		return -2;
 	return do_x509_check(x, chk, chklen, flags, GEN_IPADD);
 	}
 
@@ -995,6 +1019,8 @@ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
 	{
 	unsigned char ipout[16];
 	int iplen;
+	if (ipasc == NULL)
+		return -2;
 	iplen = a2i_ipadd(ipout, ipasc);
 	if (iplen == 0)
 		return -2;
-- 
cgit v1.2.3