Simon Josefsson simon at
Fri Aug 7 00:22:10 CEST 2009

Nikos Mavrogiannopoulos <nmav at> writes:

> Simon Josefsson wrote:
>> Having had some time to read the code, here are some observations:
>> * The old _gnutls_x509_oid_data2string in lib/x509/common.c is buggy
>>   since it truncates the string after a NUL (it copies the string using
>>   strcpy instead of memcpy).  The RES_SIZE length output variable is
>>   correct though, but output data beyond the NUL will be garbage.
>> * I can see a few ways to solve the problem:
>>   1) Make _gnutls_x509_oid_data2string escape NULs as \00 following RFC
>>      2253.
>>   2) Use memcpy instead of strcpy and change the documentation of the
>>      function to say that the returned string may contain embedded NULs,
>>      and fix the callers of that function.
>>   3) Return a RFC 2253 #-style string for these strings.
>>   4) Return an error when a NUL is encountered.
> 4 is just ok. One could do 1 if he really bothers, but there is no
> reason for that. Even though IA5 string allows for null character there
> is no reason for us to allow it. It is the null terminator for C strings
> thus allowing it can cause only problems and complicated code.

I agree.  I have applied the patch.  It is not sufficient alone: NUL in
SAN is not covered by that code path, but RedHat supplied a fix for the
hostname comparison functions.  What remains is to make sure printing a
certificate with NUL in SAN comes out OK.


More information about the Gnutls-devel mailing list