diff options
| author | Tjerk Meesters <datibbaw@php.net> | 2013-09-21 19:38:09 +0800 |
|---|---|---|
| committer | Tjerk Meesters <datibbaw@php.net> | 2013-09-21 19:38:09 +0800 |
| commit | 8e847b5845b85c080295aea60c20869973c09a15 (patch) | |
| tree | 79ceb06a5392f04a1d2755da282d48cea4d6356b /ext | |
| parent | 8915c3fb4fa40743bdddf23013a63e014d03d02c (diff) | |
| download | php-git-8e847b5845b85c080295aea60c20869973c09a15.tar.gz | |
Fixed bug that would lead to out of bounds memory access
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/openssl/openssl.c | 46 |
1 files changed, 28 insertions, 18 deletions
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 5460f3a6e1..1c367df081 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -4831,26 +4831,36 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) /* {{{ */ static int php_openssl_match_cn(const char *subjectname, const char *certname) { - int match = strcmp(subjectname, certname) == 0; - - if (!match) { - char *wildcard = strchr(certname, '*'); - int prefix_len = wildcard - certname; - - /* 1) prefix, if not empty, must match */ - if (wildcard && (prefix_len == 0 || strncmp(subjectname, certname, prefix_len) == 0)) { - const char *suffix = subjectname + strlen(subjectname) - strlen(wildcard + 1); - - /* - * 2) suffix must match - * 3) no period between prefix and suffix - **/ - match = strcmp(wildcard + 1, suffix) == 0 && - memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; - } + char *wildcard; + int prefix_len, suffix_len, subject_len; + + if (strcmp(subjectname, certname) == 0) { + return 1; } - return match; + if (!(wildcard = strchr(certname, '*'))) { + return 0; + } + + // 1) prefix, if not empty, must match subject + prefix_len = wildcard - certname; + if (prefix_len && strncmp(subjectname, certname, prefix_len) != 0) { + return 0; + } + + suffix_len = strlen(wildcard + 1); + subject_len = strlen(subjectname); + if (suffix_len <= subject_len) { + const char *suffix = subjectname + subject_len - suffix_len; + + /* 2) suffix must match + * 3) no . between prefix and suffix + **/ + return strcmp(wildcard + 1, suffix) == 0 && + memchr(subjectname + prefix_len, '.', suffix - subjectname - prefix_len) == NULL; + } + + return 0; } int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream *stream TSRMLS_DC) /* {{{ */ |