[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt

From: Howard Chu
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Date: Sun, 10 Feb 2008 01:58:37 -0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre

address@hidden wrote:
Steve Langasek wrote:
Given that one of the errors
returned by gnutls_x509_crt_get_subject_alt_name() is
GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use
semantics for storage size rather than string length, and the only question
in my mind is whether the trailing NUL is included as part of the internal
representation of the string.

If this is a behavior change as you say, then I guess we need clarification
from GnuTLS upstream about whether this is intentional.

Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result you're seeing. The change is here:;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048

and it is clearly a bug, since subjectAltName's are not necessarily strings. (E.g., they can also be IP addresses, which are just 4 or 16 octets.) If you notice in the diff, they set
         *name_size = len + 1;
and then later
        name[len] = 0;
but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they can cause a write past the end of the supplied buffer.

This patch should be reverted, it is clearly wrong.
  -- Howard Chu
  Chief Architect, Symas Corp.
  Director, Highland Sun
  Chief Architect, OpenLDAP

reply via email to

[Prev in Thread] Current Thread [Next in Thread]