Welcome! Log In Create A New Profile

Re: ASCII NUL in certificate fields

Forum List Message List New Topic Print View

Maxim Dounin

February 28, 2014 03:08AM

Hello!

On Thu, Feb 27, 2014 at 08:20:18PM -0800, Seth Arnold wrote:

> Hello, I'm curious if nginx has made the same mistake as CVE-2009-2408 in
> the ngx_ssl_get_subject_dn() and ngx_ssl_get_issuer_dn() functions:
>
> Note in the following copy-and-pastes the { /* void */ } for loops. That
> should find the end of an ASCII string but if a certificate has 0x00 bytes
> encoded in the fields, nginx may copy only a small portion of the string.
>
> Am I overlooking something?

Special chars are escaped by X509_NAME_oneline().

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
ASCII NUL in certificate fields	Seth Arnold	803	February 27, 2014 11:22PM
Re: ASCII NUL in certificate fields	Maxim Dounin	322	February 28, 2014 03:08AM
Re: ASCII NUL in certificate fields	Seth Arnold	387	February 28, 2014 04:30PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 115

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018