[openssl.org #236] a bug in OBJ_txt2obj function?

Wed, 21 Aug 2002 12:53:23 -0700 


Dear OpenSSL Team,

Our company is the market leader on X509 certificate issuance in
Hungary.  For some functions we use OpenSSL products and we have found a
problem in the recently issued OpenSSL versions that we would like to
share.

Source file: obj_dat.c
Function name: OBJ_txt2obj
Version: 0.6.9g

...
/* Work out size of content octets */
i=a2d_ASN1_OBJECT(NULL,0,s,-1);
if (i <= 0) {
        /* Clear the error */
        ERR_get_error();
        return NULL;
}

/* Work out total size */
j = ASN1_object_size(0,i,V_ASN1_OBJECT);
if((buf=(unsigned char *)OPENSSL_malloc(j)) == NULL) return NULL;
p = buf;

/* Write out tag+length */
ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);

/* Write out contents */
a2d_ASN1_OBJECT(p,i,s,-1);
p=buf;
op=d2i_ASN1_OBJECT(NULL,&p,i);  --> this should be
op=d2i_ASN1_OBJECT(NULL,&p,j);
...

In the code snippet above the "i" variable contains the length of the
object content while the "j" variable contains the whole asn1 structure
length. So I assume in the "d2i_ASN1_OBJECT" fuction call the "j"
variable should be given instead of the "i" one as in the other d2i...
kinda functions. This length parameter is used for buffer size checking
later in the "ASN1_get_object" function:

Source file: asn1_lib.c
Function name: ASN1_get_object
Version: 0.6.9g

...
if (*plength > (omax - (p - *pp)))
{
        ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
        /* Set this so that even if things are not long enough
         * the values are set correctly */
        ret|=0x80;
}
...

Here the "omax" variable contains the value given to the
"d2i_ASN1_OBJECT" last parameter while "plength" is the length read from
the der coding. The "p - *pp" is the header length so if the omax
contains the object content length instead of the total (header +
content) length the comparison fails and "NULL" is returned instead of
the ASN1 OBJECT requested. Examining earlier OpenSSL versions we
discovered that this few lines of the comparison code is commented out
so this was not a problem until "OpenSSL 0.6.9d".

Please confirm that our assumptions are right and give me information on
how the problem can be resolved.

Thank you for your help.
Best regards,

L�szl� Cs�pl�,
Henrik Schalamonek
NetLock Ltd.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to