[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt

From: Joe Orton
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Date: Thu, 14 Feb 2008 22:34:50 +0000
User-agent: Mutt/1.5.17 (2007-11-01)

On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
> Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result 
> you're seeing. The change is here:
> and it is clearly a bug, since subjectAltName's are not necessarily 
> strings. (E.g., they can also be IP addresses, which are just 4 or 16 
> octets.) If you notice in the diff, they set
>        *name_size = len + 1;
> and then later
>       name[len] = 0;
> but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they 
> can cause a write past the end of the supplied buffer.
> This patch should be reverted, it is clearly wrong.

FWIW, I agree.  neon's test cases for subjectAltName support are 
breaking with 2.3.0 as well.  Reverting the changeset Howard referenced 
fixes the issues.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]