commit 535e97dbab8cf34bb1e487f0f0f169a04eb9921f
author Paul Bakker <p.j.bakker@polarssl.org> Thu Aug 23 10:49:55 2012 +0000
committer Paul Bakker <p.j.bakker@polarssl.org> Thu Aug 23 10:49:55 2012 +0000
tree a767214909c319523b5b722dc89f1394f32f7321
parent 9195662a4c4c81ac864f7854207c2719c0ca6b84

 - Better checking for reading over buffer boundaries
 - Zeroize altSubjectName chain memory before use

library/x509parse.c

diff --git a/library/x509parse.c b/library/x509parse.c
index a43c6d4..1ed3fdc 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c
@@ -878,6 +878,7 @@
                 return( POLARSSL_ERR_X509_CERT_INVALID_EXTENSIONS +
                         POLARSSL_ERR_ASN1_MALLOC_FAILED );
 
+            memset( cur->next, 0, sizeof( asn1_sequence ) );
             cur = cur->next;
         }
     }
@@ -1355,7 +1356,8 @@
         return( ret );
     }
 
-    if( memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
+    if( crt->sig_oid1.len != crt->sig_oid2.len ||
+        memcmp( crt->sig_oid1.p, crt->sig_oid2.p, crt->sig_oid1.len ) != 0 )
     {
         x509_free( crt );
         return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@@ -1776,7 +1778,8 @@
         return( ret );
     }
 
-    if( memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
+    if( crl->sig_oid1.len != crl->sig_oid2.len ||
+        memcmp( crl->sig_oid1.p, crl->sig_oid2.p, crl->sig_oid1.len ) != 0 )
     {
         x509_crl_free( crl );
         return( POLARSSL_ERR_X509_CERT_SIG_MISMATCH );
@@ -2530,7 +2533,8 @@
             SAFE_SNPRINTF();
         }
 
-        if( memcmp( name->oid.p, OID_X520, 2 ) == 0 )
+        if( name->oid.len == 3 &&
+            memcmp( name->oid.p, OID_X520, 2 ) == 0 )
         {
             switch( name->oid.p[2] )
             {
@@ -2559,7 +2563,8 @@
             }
         SAFE_SNPRINTF();
         }
-        else if( memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
+        else if( name->oid.len == 9 &&
+                 memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
         {
             switch( name->oid.p[8] )
             {
@@ -3071,8 +3076,8 @@
     if( cn_idx == 0 )
         return( 0 );
 
-    if( memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 &&
-        strlen( cn ) - cn_idx == name->len - 1 )
+    if( strlen( cn ) - cn_idx == name->len - 1 &&
+        memcmp( name->p + 1, cn + cn_idx, name->len - 1 ) == 0 )
     {
         return( 1 );
     }
@@ -3114,11 +3119,12 @@
 
             while( cur != NULL )
             {
-                if( memcmp( cn, cur->buf.p, cn_len ) == 0 &&
-                            cur->buf.len == cn_len )
+                if( cur->buf.len == cn_len &&
+                    memcmp( cn, cur->buf.p, cn_len ) == 0 )
                     break;
 
-                if( memcmp( cur->buf.p, "*.", 2 ) == 0 &&
+                if( cur->buf.len > 2 &&
+                    memcmp( cur->buf.p, "*.", 2 ) == 0 &&
                             x509_wildcard_verify( cn, &cur->buf ) )
                     break;
 
@@ -3132,13 +3138,15 @@
         {
             while( name != NULL )
             {
-                if( memcmp( name->oid.p, OID_CN,  3 ) == 0 )
+                if( name->oid.len == 3 &&
+                    memcmp( name->oid.p, OID_CN,  3 ) == 0 )
                 {
-                    if( memcmp( name->val.p, cn, cn_len ) == 0 &&
-                                name->val.len == cn_len )
+                    if( name->val.len == cn_len &&
+                        memcmp( name->val.p, cn, cn_len ) == 0 )
                         break;
 
-                    if( memcmp( name->val.p, "*.", 2 ) == 0 &&
+                    if( name->val.len > 2 &&
+                        memcmp( name->val.p, "*.", 2 ) == 0 &&
                                 x509_wildcard_verify( cn, &name->val ) )
                         break;
                 }