Hello, Please find attached a small patch to prevent a potential integer overflow and buffer overflow in the function `_asn1_objectid_der' of the file `lib/coding.c'.
-- Mansour
From ae00278e8ad401b48b7fd8d6e2208ca3e6549891 Mon Sep 17 00:00:00 2001 From: Mansour Moufid <[email protected]> Date: Tue, 23 Aug 2011 18:01:10 -0400 Subject: [PATCH] Fix a potential buffer overflow in `lib/coding.c'. In the function `_asn1_objectid_der' of the file `lib/coding.c', if the `str' parameter is long enough (i.e. strlen (str) == SIZE_MAX) then ``strlen (str) + 2'' will overflow to ``1'', `temp' will be a single byte allocation, and the next strcpy will cause a classic buffer overflow. Fixed by initializing `temp' to NULL, checking for integer overflow, and using strncpy (and strncat) instead of strcpy (and strcat). --- lib/coding.c | 13 +++++++++---- 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/coding.c b/lib/coding.c index 111e063..367dada 100644 --- a/lib/coding.c +++ b/lib/coding.c @@ -253,18 +253,23 @@ static asn1_retCode _asn1_objectid_der (unsigned char *str, unsigned char *der, int *der_len) { int len_len, counter, k, first, max_len; - char *temp, *n_end, *n_start; + char *temp = NULL, *n_end, *n_start; unsigned char bit7; unsigned long val, val1 = 0; + size_t temp_size = str ? strlen (str) : 0; + + temp_size += 2; + if (temp_size < 2) + return ASN1_MEM_ALLOC_ERROR; max_len = *der_len; - temp = (char *) _asn1_malloc (strlen (str) + 2); + temp = (char *) _asn1_malloc (temp_size); if (temp == NULL) return ASN1_MEM_ALLOC_ERROR; - strcpy (temp, str); - strcat (temp, "."); + strncpy (temp, str ? str : "", temp_size); + strncat (temp, ".", 1); counter = 0; n_start = temp; -- 1.7.1
