oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: libesmtp does not check NULL bytes in commonName

From: ArkanoiD <ark () eltex net>
Date: Tue, 16 Mar 2010 16:56:15 +0300
And according to the draft we MUST ignore non-leaf value even if
it is the only one CN, just incorrectly placed.

On Tue, Mar 16, 2010 at 02:41:52PM +0100, Peter Sylvester wrote:




Doesn't that lack a null byte check for subjAltNames?



The patch seems broken to me:
X509_NAME_get_text_by_NID gets the "highest" one, not the leaf value.
In case of two common names, this is wrong.

So instead of
int l = X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
                            NID_commonName, buf, sizeof buf);

one needs something like:

   X509_NAME *name = X509_get_subject_name(cert) ;
    if(name)
      while((j=X509_NAME_get_index_by_NID(name,NID_commonName,i))>=0)
        i=j;




email protected and scanned by AdvascanTM - keeping email useful - 
www.advascan.com
Previous By Date Next
Previous By Thread Next

Current thread: