summaryrefslogtreecommitdiffstats
path: root/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
blob: 618eb3de48f1bc52440603348f7a3de77dbf9384 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 14 Dec 2020 20:05:44 +0000
Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv

---
 libraries/libldap/tls2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index e0c82fa9f8..193d20fdfa 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
 		for ( tag = ber_first_element( ber, &len, &rdn_end );
 			tag == LBER_SEQUENCE;
 			tag = ber_next_element( ber, &len, rdn_end )) {
+			if ( rdn_end > dn_end )
+				return LDAP_DECODING_ERROR;
 			tag = ber_skip_tag( ber, &len );
 			ber_skip_data( ber, len );
 			navas++;
@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
 	/* Rewind and prepare to extract */
 	ber_rewind( ber );
 	tag = ber_first_element( ber, &len, &dn_end );
-	if ( tag == LBER_DEFAULT )
+	if ( tag != LBER_SET )
 		return LDAP_DECODING_ERROR;
 
 	/* Allocate the DN/RDN/AVA stuff as a single block */    
@@ -1370,6 +1372,10 @@ allocd:
 				/* X.690 bitString value converted to RFC4517 Bit String */
 				rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
 				goto allocd;
+			case LBER_DEFAULT:
+				/* decode error */
+				rc = LDAP_DECODING_ERROR;
+				goto nomem;
 			default:
 				/* Not a string type at all */
 				newAVA->la_flags = 0;
-- 
2.20.1
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 17:37:12 +0000