diff options
author | Simon Josefsson <simon@josefsson.org> | 2008-10-05 15:36:40 +0200 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2008-10-05 15:43:14 +0200 |
commit | cb809c6fd374727e989acc478b13c2884e0d8bbd (patch) | |
tree | fae916cda88d4e0064f0052b72bef41c63ea3f64 | |
parent | 1f694b907ddb50198a920cafe6f0a514891868ea (diff) | |
download | gnutls-cb809c6fd374727e989acc478b13c2884e0d8bbd.tar.gz |
Fix out-of-bounds access. Similar to debian #499945 lynx-cur problem.
libextra/gnutls_openssl.c: fix X509_get_issuer_name to return issuer
name of given certificate and not try to get the subject dn of the
issuer certificate wich may or may not exist. (Checked how openssl
does this, too.) This fixes a accessing an array outside its bounds.
Debian bug #499945 is instructive about the problem. While lynx-cur
credits Thomas Dickey for the bug, the code and implications are
essentially the same for the gnutls openssl-compat libary.
Tiny patch from Thomas Viehmann <tv@beamnet.de>.
-rw-r--r-- | libextra/gnutls_openssl.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/libextra/gnutls_openssl.c b/libextra/gnutls_openssl.c index cbe30e52d5..fbaa3ea453 100644 --- a/libextra/gnutls_openssl.c +++ b/libextra/gnutls_openssl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2006 Free Software Foundation + * Copyright (C) 2004, 2005, 2006, 2008 Free Software Foundation * Copyright (c) 2002 Andrew McDonald <andrew@mcdonald.org.uk> * * This file is part of GNUTLS-EXTRA. @@ -859,7 +859,7 @@ X509_get_subject_name (const X509 * cert) { gnutls_x509_dn *dn; dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn)); - if (gnutls_x509_extract_certificate_dn (&cert[0], dn) < 0) + if (gnutls_x509_extract_certificate_dn (cert, dn) < 0) { free (dn); return NULL; @@ -872,7 +872,7 @@ X509_get_issuer_name (const X509 * cert) { gnutls_x509_dn *dn; dn = (gnutls_x509_dn *) calloc (1, sizeof (gnutls_x509_dn)); - if (gnutls_x509_extract_certificate_dn (&cert[1], dn) < 0) + if (gnutls_x509_extract_certificate_dn (cert, dn) < 0) { free (dn); return NULL; |