Fix in asn1_get_printable string

Buffer overflow vulnerability in proc.c
Possible double memory release on invalid certificates.


git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@221 9a5d90b5-6617-0410-8a86-bb477d3ed2e3

Author: cameronrich

crypto/crypto_misc.c

@@ -348,13 +348,15 @@ EXP_FUNC int STDCALL base64_decode(const char *in, int len,
 
             y = t = 0;
         }
+
+        if (z >= *outlen) /* check that we don't go past the output buffer */
+            goto error;
     }
 
     if (y != 0)
         goto error;
 
-    if (outlen)
-        *outlen = z;
+    *outlen = z;
     ret = 0;
 
 error:

httpd/proc.c

@@ -152,7 +152,7 @@ static int procheadelem(struct connstruct *cn, char *buf)
     else if (strcasecmp(buf, "Authorization:") == 0 &&
                                     strncmp(value, "Basic ", 6) == 0)
     {
-        int size;
+        int size = sizeof(cn->authorization);
         if (base64_decode(&value[6], strlen(&value[6]), 
                                         (uint8_t *)cn->authorization, &size))
             cn->authorization[0] = 0;   /* error */
@@ -1051,7 +1051,8 @@ static int check_digest(char *salt, const char *msg_passwd)
 {
     uint8_t b256_salt[MAXREQUESTLENGTH];
     uint8_t real_passwd[MD5_SIZE];
-    int salt_size;
+    int salt_size = sizeof(b256_salt);
+    int password_size = sizeof(real_passwd);
     char *b64_passwd;
     uint8_t md5_result[MD5_SIZE];
     MD5_CTX ctx;
@@ -1064,7 +1065,8 @@ static int check_digest(char *salt, const char *msg_passwd)
     if (base64_decode(salt, strlen(salt), b256_salt, &salt_size))
         return -1;
 
-    if (base64_decode(b64_passwd, strlen(b64_passwd), real_passwd, NULL))
+    if (base64_decode(b64_passwd, strlen(b64_passwd), real_passwd,
+                &password_size))
         return -1;
 
     /* very simple MD5 crypt algorithm, but then the salt we use is large */

ssl/asn1.c

@@ -288,19 +288,20 @@ static int asn1_get_oid_x520(const uint8_t *buf, int *offset)
 static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
 {
     int len = X509_NOT_OK;
+    int asn1_type = buf[*offset];
 
     /* some certs have this awful crud in them for some reason */
-    if (buf[*offset] != ASN1_PRINTABLE_STR &&  
-            buf[*offset] != ASN1_PRINTABLE_STR2 &&  
-            buf[*offset] != ASN1_TELETEX_STR &&  
-            buf[*offset] != ASN1_IA5_STR &&  
-            buf[*offset] != ASN1_UNICODE_STR)
+    if (buf[asn1_type] != ASN1_PRINTABLE_STR &&  
+            buf[asn1_type] != ASN1_PRINTABLE_STR2 &&  
+            buf[asn1_type] != ASN1_TELETEX_STR &&  
+            buf[asn1_type] != ASN1_IA5_STR &&  
+            buf[asn1_type] != ASN1_UNICODE_STR)
         goto end_pnt_str;
 
         (*offset)++;
         len = get_asn1_length(buf, offset);
 
-        if (buf[*offset - 1] == ASN1_UNICODE_STR)
+        if (buf[asn1_type - 1] == ASN1_UNICODE_STR)
         {
             int i;
             *str = (char *)malloc(len/2+1);     /* allow for null */
@@ -330,7 +331,7 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
 {
     int ret = X509_NOT_OK;
     int dn_type;
-    char *tmp = NULL;
+    char *tmp;
 
     if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
         goto end_name;
@@ -343,6 +344,8 @@ int asn1_name(const uint8_t *cert, int *offset, char *dn[])
                (dn_type = asn1_get_oid_x520(cert, offset)) < 0)
             goto end_name;
 
+        tmp = NULL;
+
         if (asn1_get_printable_str(cert, offset, &tmp) < 0)
         {
             free(tmp);

ssl/loader.c

@@ -259,6 +259,7 @@ static int pem_decrypt(const char *where, const char *end,
 
     /* turn base64 into binary */
     pem_size = (int)(end-start);
+    ssl_obj->len = sizeof(ssl_obj->buf);
     if (base64_decode(start, pem_size, ssl_obj->buf, &ssl_obj->len) != 0)
         goto error;
 
@@ -326,11 +327,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
                         goto error;
                     }
                 }
-                else if (base64_decode(start, pem_size, 
-                            ssl_obj->buf, &ssl_obj->len) != 0)
+                else 
                 {
-                    ret = SSL_ERROR_BAD_CERTIFICATE;
-                    goto error;
+                    ssl_obj->len = pem_size;
+                    if (base64_decode(start, pem_size, 
+                                ssl_obj->buf, &ssl_obj->len) != 0)
+                    {
+                        ret = SSL_ERROR_BAD_CERTIFICATE;
+                        goto error;
+                    }
                 }
 
                 switch (i)