Bug in gnutls_x509_crt_list_import

Jonathan Manktelow jonathan at dyalog.com
Tue Sep 23 13:20:27 CEST 2008

There is a buffer overrun bug in gnutls_x509_crt_list_import (from gnutls
4.2.2), if it's given a file containing multiple PEM certificates, each of
which is separated by more than one character (such as in a file with
windows line endings)

In gnutls_x509_crt_list_import
When reading the second, and all subsequent, certificates the lines

	  tmp.data = (unsigned char *) ptr;
	  tmp.size = size;

setup a temporary buffer for gnutls_x509_crt_import to read from. However
the size variable is not set correctly. 
Changing these lines to 

	  tmp.data = (unsigned char *) ptr;
	  size = data->size - (ptr - (char *) data->data);
	  tmp.size = size;

fixes it.

Please can you confirm if this is a bug, and if so if the fix is correct!


Jonathan Manktelow

More information about the Gnutls-devel mailing list