|
| From: | Howard Chu |
| Subject: | Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName |
| Date: | Fri, 15 Feb 2008 11:05:50 -0800 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; rv:1.9b3pre) Gecko/2008013117 SeaMonkey/2.0a1pre |
Nikos Mavrogiannopoulos wrote:
Indeed I'll try to improve this patch to work only for formats known to be text.
The code was perfectly correct before this patch. Why do you want to change anything here at all? I looked in the gnutls-devel archives and couldn't find any discussion of this change. It would be nice to understand what you're trying to accomplish here, given that there are large bodies of code already written that expect the existing behavior of GnuTLS 2.1.7 and older.
On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton<address@hidden> wrote:On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote: > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result > you're seeing. The change is here: > http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048 > > and it is clearly a bug, since subjectAltName's are not necessarily > strings. (E.g., they can also be IP addresses, which are just 4 or 16 > octets.) If you notice in the diff, they set > *name_size = len + 1; > and then later > name[len] = 0; > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they > can cause a write past the end of the supplied buffer. > > This patch should be reverted, it is clearly wrong. FWIW, I agree. neon's test cases for subjectAltName support are breaking with 2.3.0 as well. Reverting the changeset Howard referenced fixes the issues.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
| [Prev in Thread] | Current Thread | [Next in Thread] |