diff options
| author | nelson%bolyard.com <devnull@localhost> | 2009-04-13 17:23:15 +0000 |
|---|---|---|
| committer | nelson%bolyard.com <devnull@localhost> | 2009-04-13 17:23:15 +0000 |
| commit | 9af6a573dd956838d7775c33fd2db9d9b27caa88 (patch) | |
| tree | 5263294bbc0ea5e356398320ccb46412e25d6902 | |
| parent | fd64a5a47ccf477f8412c15f02fc759a7e61d1c5 (diff) | |
| download | nss-hg-9af6a573dd956838d7775c33fd2db9d9b27caa88.tar.gz | |
Bug 487381 certificates with very large issuer names can corrupt cert8 database
r=Kaspar Brand
| -rw-r--r-- | security/nss/lib/softoken/legacydb/pcertdb.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c index 15fbec263..7a4a956a3 100644 --- a/security/nss/lib/softoken/legacydb/pcertdb.c +++ b/security/nss/lib/softoken/legacydb/pcertdb.c @@ -708,12 +708,14 @@ EncodeDBGenericKey(const SECItem *certKey, PRArenaPool *arena, SECItem *dbkey, dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; } PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], - certKey->data, certKey->len); + certKey->data, certKey->len); dbkey->data[0] = (unsigned char) entryType; return(SECSuccess); @@ -1454,7 +1456,6 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena, */ dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN; - dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len); if ( dbitem->data == NULL) { goto loser; @@ -1462,10 +1463,8 @@ EncodeDBNicknameEntry(certDBEntryNickname *entry, PRArenaPool *arena, /* fill in database record */ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN]; - buf[0] = (PRUint8)( entry->subjectName.len >> 8 ); buf[1] = (PRUint8)( entry->subjectName.len ); - PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data, entry->subjectName.len); @@ -1488,6 +1487,8 @@ EncodeDBNicknameKey(char *nickname, PRArenaPool *arena, /* now get the database key and format it */ dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; @@ -1821,6 +1822,8 @@ EncodeDBSMimeKey(char *emailAddr, PRArenaPool *arena, /* now get the database key and format it */ dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN; + if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE) + goto loser; dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len); if ( dbkey->data == NULL ) { goto loser; |