|
8
|
1 |
|
|
|
2 |
#At file:///home/ram/mysql/b50227-5.0-bugteam/ based on revid:gshchepa@stripped
|
|
|
3 |
|
|
|
4 |
2838 Ramil Kalimullin 2010-01-13
|
|
|
5 |
Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
|
|
|
6 |
|
|
|
7 |
Problem: copying issuer's (or subject's) name tags into an internal
|
|
|
8 |
buffer from incoming stream we didn't check the buffer overflow.
|
|
|
9 |
That may lead to memory overrun, crash etc.
|
|
|
10 |
|
|
|
11 |
Fix: ensure we don't overrun the buffer.
|
|
|
12 |
|
|
|
13 |
Note: there's no simple test case (exploit needed).
|
|
|
14 |
@ extra/yassl/taocrypt/include/asn.hpp
|
|
|
15 |
Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
|
|
|
16 |
- CertDecoder::AddTag() introduced.
|
|
|
17 |
@ extra/yassl/taocrypt/src/asn.cpp
|
|
|
18 |
Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL
|
|
|
19 |
- copying data from incoming stream to the issuer_ or subject_
|
|
|
20 |
buffers ensure we don't overrun them.
|
|
|
21 |
- code cleanup.
|
|
|
22 |
|
|
|
23 |
modified:
|
|
|
24 |
extra/yassl/taocrypt/include/asn.hpp
|
|
|
25 |
extra/yassl/taocrypt/src/asn.cpp
|
|
|
26 |
=== modified file 'extra/yassl/taocrypt/include/asn.hpp'
|
|
|
27 |
--- a/extra/yassl/taocrypt/include/asn.hpp 2007-01-29 15:54:40 +0000
|
|
|
28 |
+++ b/extra/yassl/taocrypt/include/asn.hpp 2010-01-13 05:20:45 +0000
|
|
|
29 |
@@ -305,6 +305,7 @@ private:
|
|
|
30 |
bool ValidateSignature(SignerList*);
|
|
|
31 |
bool ConfirmSignature(Source&);
|
|
|
32 |
void GetKey();
|
|
|
33 |
+ char* AddTag(char*, const char*, const char*, word32, word32);
|
|
|
34 |
void GetName(NameType);
|
|
|
35 |
void GetValidity();
|
|
|
36 |
void GetDate(DateType);
|
|
|
37 |
|
|
|
38 |
=== modified file 'extra/yassl/taocrypt/src/asn.cpp'
|
|
|
39 |
--- a/extra/yassl/taocrypt/src/asn.cpp 2009-06-29 13:17:01 +0000
|
|
|
40 |
+++ b/extra/yassl/taocrypt/src/asn.cpp 2010-01-13 05:20:45 +0000
|
|
|
41 |
@@ -652,6 +652,23 @@ word32 CertDecoder::GetDigest()
|
|
|
42 |
}
|
|
|
43 |
|
|
|
44 |
|
|
|
45 |
+char *CertDecoder::AddTag(char *ptr, const char *buf_end,
|
|
|
46 |
+ const char *tag_name, word32 tag_name_length,
|
|
|
47 |
+ word32 tag_value_length)
|
|
|
48 |
+{
|
|
|
49 |
+ if (ptr + tag_name_length + tag_value_length > buf_end)
|
|
|
50 |
+ return 0;
|
|
|
51 |
+
|
|
|
52 |
+ memcpy(ptr, tag_name, tag_name_length);
|
|
|
53 |
+ ptr+= tag_name_length;
|
|
|
54 |
+
|
|
|
55 |
+ memcpy(ptr, source_.get_current(), tag_value_length);
|
|
|
56 |
+ ptr+= tag_value_length;
|
|
|
57 |
+
|
|
|
58 |
+ return ptr;
|
|
|
59 |
+}
|
|
|
60 |
+
|
|
|
61 |
+
|
|
|
62 |
// process NAME, either issuer or subject
|
|
|
63 |
void CertDecoder::GetName(NameType nt)
|
|
|
64 |
{
|
|
|
65 |
@@ -659,11 +676,21 @@ void CertDecoder::GetName(NameType nt)
|
|
|
66 |
|
|
|
67 |
SHA sha;
|
|
|
68 |
word32 length = GetSequence(); // length of all distinguished names
|
|
|
69 |
- assert (length < ASN_NAME_MAX);
|
|
|
70 |
+
|
|
|
71 |
+ if (length >= ASN_NAME_MAX)
|
|
|
72 |
+ goto err;
|
|
|
73 |
length += source_.get_index();
|
|
|
74 |
|
|
|
75 |
- char* ptr = (nt == ISSUER) ? issuer_ : subject_;
|
|
|
76 |
- word32 idx = 0;
|
|
|
77 |
+ char *ptr, *buf_end;
|
|
|
78 |
+
|
|
|
79 |
+ if (nt == ISSUER) {
|
|
|
80 |
+ ptr= issuer_;
|
|
|
81 |
+ buf_end= ptr + sizeof(issuer_) - 1; // 1 byte for trailing 0
|
|
|
82 |
+ }
|
|
|
83 |
+ else {
|
|
|
84 |
+ ptr= subject_;
|
|
|
85 |
+ buf_end= ptr + sizeof(subject_) - 1; // 1 byte for trailing 0
|
|
|
86 |
+ }
|
|
|
87 |
|
|
|
88 |
while (source_.get_index() < length) {
|
|
|
89 |
GetSet();
|
|
|
90 |
@@ -685,47 +712,36 @@ void CertDecoder::GetName(NameType nt)
|
|
|
91 |
byte id = source_.next();
|
|
|
92 |
b = source_.next(); // strType
|
|
|
93 |
word32 strLen = GetLength(source_);
|
|
|
94 |
- bool copy = false;
|
|
|
95 |
|
|
|
96 |
- if (id == COMMON_NAME) {
|
|
|
97 |
- memcpy(&ptr[idx], "/CN=", 4);
|
|
|
98 |
- idx += 4;
|
|
|
99 |
- copy = true;
|
|
|
100 |
- }
|
|
|
101 |
- else if (id == SUR_NAME) {
|
|
|
102 |
- memcpy(&ptr[idx], "/SN=", 4);
|
|
|
103 |
- idx += 4;
|
|
|
104 |
- copy = true;
|
|
|
105 |
- }
|
|
|
106 |
- else if (id == COUNTRY_NAME) {
|
|
|
107 |
- memcpy(&ptr[idx], "/C=", 3);
|
|
|
108 |
- idx += 3;
|
|
|
109 |
- copy = true;
|
|
|
110 |
- }
|
|
|
111 |
- else if (id == LOCALITY_NAME) {
|
|
|
112 |
- memcpy(&ptr[idx], "/L=", 3);
|
|
|
113 |
- idx += 3;
|
|
|
114 |
- copy = true;
|
|
|
115 |
- }
|
|
|
116 |
- else if (id == STATE_NAME) {
|
|
|
117 |
- memcpy(&ptr[idx], "/ST=", 4);
|
|
|
118 |
- idx += 4;
|
|
|
119 |
- copy = true;
|
|
|
120 |
- }
|
|
|
121 |
- else if (id == ORG_NAME) {
|
|
|
122 |
- memcpy(&ptr[idx], "/O=", 3);
|
|
|
123 |
- idx += 3;
|
|
|
124 |
- copy = true;
|
|
|
125 |
- }
|
|
|
126 |
- else if (id == ORGUNIT_NAME) {
|
|
|
127 |
- memcpy(&ptr[idx], "/OU=", 4);
|
|
|
128 |
- idx += 4;
|
|
|
129 |
- copy = true;
|
|
|
130 |
- }
|
|
|
131 |
-
|
|
|
132 |
- if (copy) {
|
|
|
133 |
- memcpy(&ptr[idx], source_.get_current(), strLen);
|
|
|
134 |
- idx += strLen;
|
|
|
135 |
+ switch (id) {
|
|
|
136 |
+ case COMMON_NAME:
|
|
|
137 |
+ if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen)))
|
|
|
138 |
+ goto err;
|
|
|
139 |
+ break;
|
|
|
140 |
+ case SUR_NAME:
|
|
|
141 |
+ if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen)))
|
|
|
142 |
+ goto err;
|
|
|
143 |
+ break;
|
|
|
144 |
+ case COUNTRY_NAME:
|
|
|
145 |
+ if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen)))
|
|
|
146 |
+ goto err;
|
|
|
147 |
+ break;
|
|
|
148 |
+ case LOCALITY_NAME:
|
|
|
149 |
+ if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen)))
|
|
|
150 |
+ goto err;
|
|
|
151 |
+ break;
|
|
|
152 |
+ case STATE_NAME:
|
|
|
153 |
+ if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen)))
|
|
|
154 |
+ goto err;
|
|
|
155 |
+ break;
|
|
|
156 |
+ case ORG_NAME:
|
|
|
157 |
+ if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen)))
|
|
|
158 |
+ goto err;
|
|
|
159 |
+ break;
|
|
|
160 |
+ case ORGUNIT_NAME:
|
|
|
161 |
+ if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen)))
|
|
|
162 |
+ goto err;
|
|
|
163 |
+ break;
|
|
|
164 |
}
|
|
|
165 |
|
|
|
166 |
sha.Update(source_.get_current(), strLen);
|
|
|
167 |
@@ -739,23 +755,20 @@ void CertDecoder::GetName(NameType nt)
|
|
|
168 |
source_.advance(oidSz + 1);
|
|
|
169 |
word32 length = GetLength(source_);
|
|
|
170 |
|
|
|
171 |
- if (email) {
|
|
|
172 |
- memcpy(&ptr[idx], "/emailAddress=", 14);
|
|
|
173 |
- idx += 14;
|
|
|
174 |
-
|
|
|
175 |
- memcpy(&ptr[idx], source_.get_current(), length);
|
|
|
176 |
- idx += length;
|
|
|
177 |
- }
|
|
|
178 |
+ if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length)))
|
|
|
179 |
+ goto err;
|
|
|
180 |
|
|
|
181 |
source_.advance(length);
|
|
|
182 |
}
|
|
|
183 |
}
|
|
|
184 |
- ptr[idx++] = 0;
|
|
|
185 |
+ *ptr= 0;
|
|
|
186 |
|
|
|
187 |
- if (nt == ISSUER)
|
|
|
188 |
- sha.Final(issuerHash_);
|
|
|
189 |
- else
|
|
|
190 |
- sha.Final(subjectHash_);
|
|
|
191 |
+ sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_);
|
|
|
192 |
+
|
|
|
193 |
+ return;
|
|
|
194 |
+
|
|
|
195 |
+err:
|
|
|
196 |
+ source_.SetError(CONTENT_E);
|
|
|
197 |
}
|
|
|
198 |
|