|
1 |
|
2 #At file:///home/ram/mysql/b50227-5.0-bugteam/ based on revid:gshchepa@stripped |
|
3 |
|
4 2838 Ramil Kalimullin 2010-01-13 |
|
5 Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL |
|
6 |
|
7 Problem: copying issuer's (or subject's) name tags into an internal |
|
8 buffer from incoming stream we didn't check the buffer overflow. |
|
9 That may lead to memory overrun, crash etc. |
|
10 |
|
11 Fix: ensure we don't overrun the buffer. |
|
12 |
|
13 Note: there's no simple test case (exploit needed). |
|
14 @ extra/yassl/taocrypt/include/asn.hpp |
|
15 Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL |
|
16 - CertDecoder::AddTag() introduced. |
|
17 @ extra/yassl/taocrypt/src/asn.cpp |
|
18 Fix for bug#50227: Pre-auth buffer-overflow in mySQL through yaSSL |
|
19 - copying data from incoming stream to the issuer_ or subject_ |
|
20 buffers ensure we don't overrun them. |
|
21 - code cleanup. |
|
22 |
|
23 modified: |
|
24 extra/yassl/taocrypt/include/asn.hpp |
|
25 extra/yassl/taocrypt/src/asn.cpp |
|
26 === modified file 'extra/yassl/taocrypt/include/asn.hpp' |
|
27 --- a/extra/yassl/taocrypt/include/asn.hpp 2007-01-29 15:54:40 +0000 |
|
28 +++ b/extra/yassl/taocrypt/include/asn.hpp 2010-01-13 05:20:45 +0000 |
|
29 @@ -305,6 +305,7 @@ private: |
|
30 bool ValidateSignature(SignerList*); |
|
31 bool ConfirmSignature(Source&); |
|
32 void GetKey(); |
|
33 + char* AddTag(char*, const char*, const char*, word32, word32); |
|
34 void GetName(NameType); |
|
35 void GetValidity(); |
|
36 void GetDate(DateType); |
|
37 |
|
38 === modified file 'extra/yassl/taocrypt/src/asn.cpp' |
|
39 --- a/extra/yassl/taocrypt/src/asn.cpp 2009-06-29 13:17:01 +0000 |
|
40 +++ b/extra/yassl/taocrypt/src/asn.cpp 2010-01-13 05:20:45 +0000 |
|
41 @@ -652,6 +652,23 @@ word32 CertDecoder::GetDigest() |
|
42 } |
|
43 |
|
44 |
|
45 +char *CertDecoder::AddTag(char *ptr, const char *buf_end, |
|
46 + const char *tag_name, word32 tag_name_length, |
|
47 + word32 tag_value_length) |
|
48 +{ |
|
49 + if (ptr + tag_name_length + tag_value_length > buf_end) |
|
50 + return 0; |
|
51 + |
|
52 + memcpy(ptr, tag_name, tag_name_length); |
|
53 + ptr+= tag_name_length; |
|
54 + |
|
55 + memcpy(ptr, source_.get_current(), tag_value_length); |
|
56 + ptr+= tag_value_length; |
|
57 + |
|
58 + return ptr; |
|
59 +} |
|
60 + |
|
61 + |
|
62 // process NAME, either issuer or subject |
|
63 void CertDecoder::GetName(NameType nt) |
|
64 { |
|
65 @@ -659,11 +676,21 @@ void CertDecoder::GetName(NameType nt) |
|
66 |
|
67 SHA sha; |
|
68 word32 length = GetSequence(); // length of all distinguished names |
|
69 - assert (length < ASN_NAME_MAX); |
|
70 + |
|
71 + if (length >= ASN_NAME_MAX) |
|
72 + goto err; |
|
73 length += source_.get_index(); |
|
74 |
|
75 - char* ptr = (nt == ISSUER) ? issuer_ : subject_; |
|
76 - word32 idx = 0; |
|
77 + char *ptr, *buf_end; |
|
78 + |
|
79 + if (nt == ISSUER) { |
|
80 + ptr= issuer_; |
|
81 + buf_end= ptr + sizeof(issuer_) - 1; // 1 byte for trailing 0 |
|
82 + } |
|
83 + else { |
|
84 + ptr= subject_; |
|
85 + buf_end= ptr + sizeof(subject_) - 1; // 1 byte for trailing 0 |
|
86 + } |
|
87 |
|
88 while (source_.get_index() < length) { |
|
89 GetSet(); |
|
90 @@ -685,47 +712,36 @@ void CertDecoder::GetName(NameType nt) |
|
91 byte id = source_.next(); |
|
92 b = source_.next(); // strType |
|
93 word32 strLen = GetLength(source_); |
|
94 - bool copy = false; |
|
95 |
|
96 - if (id == COMMON_NAME) { |
|
97 - memcpy(&ptr[idx], "/CN=", 4); |
|
98 - idx += 4; |
|
99 - copy = true; |
|
100 - } |
|
101 - else if (id == SUR_NAME) { |
|
102 - memcpy(&ptr[idx], "/SN=", 4); |
|
103 - idx += 4; |
|
104 - copy = true; |
|
105 - } |
|
106 - else if (id == COUNTRY_NAME) { |
|
107 - memcpy(&ptr[idx], "/C=", 3); |
|
108 - idx += 3; |
|
109 - copy = true; |
|
110 - } |
|
111 - else if (id == LOCALITY_NAME) { |
|
112 - memcpy(&ptr[idx], "/L=", 3); |
|
113 - idx += 3; |
|
114 - copy = true; |
|
115 - } |
|
116 - else if (id == STATE_NAME) { |
|
117 - memcpy(&ptr[idx], "/ST=", 4); |
|
118 - idx += 4; |
|
119 - copy = true; |
|
120 - } |
|
121 - else if (id == ORG_NAME) { |
|
122 - memcpy(&ptr[idx], "/O=", 3); |
|
123 - idx += 3; |
|
124 - copy = true; |
|
125 - } |
|
126 - else if (id == ORGUNIT_NAME) { |
|
127 - memcpy(&ptr[idx], "/OU=", 4); |
|
128 - idx += 4; |
|
129 - copy = true; |
|
130 - } |
|
131 - |
|
132 - if (copy) { |
|
133 - memcpy(&ptr[idx], source_.get_current(), strLen); |
|
134 - idx += strLen; |
|
135 + switch (id) { |
|
136 + case COMMON_NAME: |
|
137 + if (!(ptr= AddTag(ptr, buf_end, "/CN=", 4, strLen))) |
|
138 + goto err; |
|
139 + break; |
|
140 + case SUR_NAME: |
|
141 + if (!(ptr= AddTag(ptr, buf_end, "/SN=", 4, strLen))) |
|
142 + goto err; |
|
143 + break; |
|
144 + case COUNTRY_NAME: |
|
145 + if (!(ptr= AddTag(ptr, buf_end, "/C=", 3, strLen))) |
|
146 + goto err; |
|
147 + break; |
|
148 + case LOCALITY_NAME: |
|
149 + if (!(ptr= AddTag(ptr, buf_end, "/L=", 3, strLen))) |
|
150 + goto err; |
|
151 + break; |
|
152 + case STATE_NAME: |
|
153 + if (!(ptr= AddTag(ptr, buf_end, "/ST=", 4, strLen))) |
|
154 + goto err; |
|
155 + break; |
|
156 + case ORG_NAME: |
|
157 + if (!(ptr= AddTag(ptr, buf_end, "/O=", 3, strLen))) |
|
158 + goto err; |
|
159 + break; |
|
160 + case ORGUNIT_NAME: |
|
161 + if (!(ptr= AddTag(ptr, buf_end, "/OU=", 4, strLen))) |
|
162 + goto err; |
|
163 + break; |
|
164 } |
|
165 |
|
166 sha.Update(source_.get_current(), strLen); |
|
167 @@ -739,23 +755,20 @@ void CertDecoder::GetName(NameType nt) |
|
168 source_.advance(oidSz + 1); |
|
169 word32 length = GetLength(source_); |
|
170 |
|
171 - if (email) { |
|
172 - memcpy(&ptr[idx], "/emailAddress=", 14); |
|
173 - idx += 14; |
|
174 - |
|
175 - memcpy(&ptr[idx], source_.get_current(), length); |
|
176 - idx += length; |
|
177 - } |
|
178 + if (email && !(ptr= AddTag(ptr, buf_end, "/emailAddress=", 14, length))) |
|
179 + goto err; |
|
180 |
|
181 source_.advance(length); |
|
182 } |
|
183 } |
|
184 - ptr[idx++] = 0; |
|
185 + *ptr= 0; |
|
186 |
|
187 - if (nt == ISSUER) |
|
188 - sha.Final(issuerHash_); |
|
189 - else |
|
190 - sha.Final(subjectHash_); |
|
191 + sha.Final(nt == ISSUER ? issuerHash_ : subjectHash_); |
|
192 + |
|
193 + return; |
|
194 + |
|
195 +err: |
|
196 + source_.SetError(CONTENT_E); |
|
197 } |
|
198 |