(ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Howard Chu
hyc at symas.com
Sun Feb 10 10:58:37 CET 2008
hyc at symas.com wrote:
> Steve Langasek wrote:
>> Given that one of the errors
>> returned by gnutls_x509_crt_get_subject_alt_name() is
>> GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use
>> semantics for storage size rather than string length, and the only question
>> in my mind is whether the trailing NUL is included as part of the internal
>> representation of the string.
>>
>> If this is a behavior change as you say, then I guess we need clarification
>> from GnuTLS upstream about whether this is intentional.
Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
you're seeing. The change is here:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
and it is clearly a bug, since subjectAltName's are not necessarily strings.
(E.g., they can also be IP addresses, which are just 4 or 16 octets.) If you
notice in the diff, they set
*name_size = len + 1;
and then later
name[len] = 0;
but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they can
cause a write past the end of the supplied buffer.
This patch should be reverted, it is clearly wrong.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Gnutls-devel
mailing list