Fix CMP code to not assume NUL terminated strings

ASN.1 strings may not be NUL terminated. Don't assume they are. CVE-2021-3712 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David Benjamin <davidben@google.com>
1 year ago · 95f8c1e142
parent d2015a783e
commit 95f8c1e142
5 changed files with 10 additions and 8 deletions
--- a/crypto/cmp/cmp_hdr.c
+++ b/crypto/cmp/cmp_hdr.c
@ -181,7 +181,8 @@ int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text)
        return 0;

    return
-        ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data);
+        ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data,
+                                             text->length);
 }

 int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@ -744,7 +744,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
                                   int only_self_issued);
 STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
-                                         const char *text);
+                                         const char *text, int len);
 int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
                                    const ASN1_OCTET_STRING *src);
 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@ -758,13 +758,13 @@ OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
            goto err;
        msg->body->value.error->errorDetails = ft;
        if (lib != NULL && *lib != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
            goto err;
        if (reason != NULL && *reason != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
            goto err;
        if (details != NULL
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
+                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
            goto err;
    }

--- a/crypto/cmp/cmp_status.c
+++ b/crypto/cmp/cmp_status.c
@ -220,7 +220,8 @@ char *snprint_PKIStatusInfo_parts(int status, int fail_info,
        ADVANCE_BUFFER;
        for (i = 0; i < n_status_strings; i++) {
            text = sk_ASN1_UTF8STRING_value(status_strings, i);
-            printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s",
+            printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
+                                         ASN1_STRING_length(text),
                                         ASN1_STRING_get0_data(text),
                                         i < n_status_strings - 1 ? ", " : "");
            ADVANCE_BUFFER;
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@ -221,7 +221,7 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
 }

 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
-                                         const char *text)
+                                         const char *text, int len)
 {
    ASN1_UTF8STRING *utf8string;

@ -229,7 +229,7 @@ int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
        return 0;
    if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
        return 0;
-    if (!ASN1_STRING_set(utf8string, text, -1))
+    if (!ASN1_STRING_set(utf8string, text, len))
        goto err;
    if (!sk_ASN1_UTF8STRING_push(sk, utf8string))
        goto err;