Hello, I'm curious if nginx has made the same mistake as CVE-2009-2408 in
the ngx_ssl_get_subject_dn() and ngx_ssl_get_issuer_dn() functions:

Note in the following copy-and-pastes the { /* void */ } for loops. That
should find the end of an ASCII string but if a certificate has 0x00 bytes
encoded in the fields, nginx may copy only a small portion of the string.

Am I overlooking something?

Thanks

ngx_int_t
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
char *p;
size_t len;
X509 *cert;
X509_NAME *name;

s->len = 0;

cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
return NGX_OK;
}

name = X509_get_subject_name(cert);
if (name == NULL) {
X509_free(cert);
return NGX_ERROR;
}

p = X509_NAME_oneline(name, NULL, 0);

for (len = 0; p[len]; len++) { /* void */ }

s->len = len;
s->data = ngx_pnalloc(pool, len);
if (s->data == NULL) {
OPENSSL_free(p);
X509_free(cert);
return NGX_ERROR;
}

ngx_memcpy(s->data, p, len);

OPENSSL_free(p);
X509_free(cert);

return NGX_OK;
}

ngx_int_t
ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
char *p;
size_t len;
X509 *cert;
X509_NAME *name;

s->len = 0;

cert = SSL_get_peer_certificate(c->ssl->connection);
if (cert == NULL) {
return NGX_OK;
}

name = X509_get_issuer_name(cert);
if (name == NULL) {
X509_free(cert);
return NGX_ERROR;
}

p = X509_NAME_oneline(name, NULL, 0);

for (len = 0; p[len]; len++) { /* void */ }

s->len = len;
s->data = ngx_pnalloc(pool, len);
if (s->data == NULL) {
OPENSSL_free(p);
X509_free(cert);
return NGX_ERROR;
}

ngx_memcpy(s->data, p, len);

OPENSSL_free(p);
X509_free(cert);

return NGX_OK;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel