Commit dbe69684 authored by Howard Chu's avatar Howard Chu
Browse files

ITS#9404 fix serialNumberAndIssuerCheck

Tighten validity checks
parent 1ea12260
...@@ -3268,7 +3268,7 @@ serialNumberAndIssuerCheck( ...@@ -3268,7 +3268,7 @@ serialNumberAndIssuerCheck(
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */ /* Parse old format */
is->bv_val = ber_bvchr( in, '$' ); is->bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX; if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
...@@ -3299,7 +3299,7 @@ serialNumberAndIssuerCheck( ...@@ -3299,7 +3299,7 @@ serialNumberAndIssuerCheck(
HAVE_ALL = ( HAVE_ISSUER | HAVE_SN ) HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
} have = HAVE_NONE; } have = HAVE_NONE;
int numdquotes = 0; int numdquotes = 0, gotquote;
struct berval x = *in; struct berval x = *in;
struct berval ni; struct berval ni;
x.bv_val++; x.bv_val++;
...@@ -3341,11 +3341,12 @@ serialNumberAndIssuerCheck( ...@@ -3341,11 +3341,12 @@ serialNumberAndIssuerCheck(
is->bv_val = x.bv_val; is->bv_val = x.bv_val;
is->bv_len = 0; is->bv_len = 0;
for ( ; is->bv_len < x.bv_len; ) { for ( gotquote=0; is->bv_len < x.bv_len; ) {
if ( is->bv_val[is->bv_len] != '"' ) { if ( is->bv_val[is->bv_len] != '"' ) {
is->bv_len++; is->bv_len++;
continue; continue;
} }
gotquote = 1;
if ( is->bv_val[is->bv_len+1] == '"' ) { if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */ /* double dquote */
numdquotes++; numdquotes++;
...@@ -3354,6 +3355,8 @@ serialNumberAndIssuerCheck( ...@@ -3354,6 +3355,8 @@ serialNumberAndIssuerCheck(
} }
break; break;
} }
if ( !gotquote ) return LDAP_INVALID_SYNTAX;
x.bv_val += is->bv_len + 1; x.bv_val += is->bv_len + 1;
x.bv_len -= is->bv_len + 1; x.bv_len -= is->bv_len + 1;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment