In crypto/x509/by_dir.c, function add_cert_dir() bungles a "dir" parameter
that points to an empty string. The code does try to handle that case, but
it's not done right and can cause a core dump. The code is
if (dir == NULL) return(0);
s=dir;
p=s;
for (;;)
{
if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
{
ss=s;
s=p+1;
len=(int)(p-ss);
if (len == 0) continue;
for (j=0; j<ctx->num_dirs; j++)
if (strncmp(ctx->dirs[j],ss,(unsigned int)len) =
= 0)
continue;
Suppose *dir=='\0'. It sets s=dir and goes into the "for" loop, into the
"if", and increments s (which now points past the end of the empty string).
It finds len==0 and goes back to the top of the "for" and into the "if" again
and copies the bad pointer into ss. It finds len==1 this time and falls
through to pass the bad pointer to strncmp. Oops.
Here's a quick & dirty patch. Someone who knows what it's really supposed
to do should fix it right.
*** x509/by_dir.c.orig Mon Dec 21 03:55:40 1998
--- x509/by_dir.c Wed Jan 6 08:57:32 1999
***************
*** 193,197 ****
char **pp;
! if (dir == NULL) return(0);
s=dir;
--- 193,197 ----
char **pp;
! if (dir == NULL || !*dir) return(0);
s=dir;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
