Bugs item #3000484, was opened at 2010-05-12 14:44
Message generated for change (Tracker Item Submitted) made by
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3000484&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: SSL/TLS
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: https://www.google.com/accounts ()
Assigned to: Daniel Stenberg (bagder)
Summary: OpenSSL verifyhost() function makes bad assumptions

Initial Comment:
In the verifyhost() function, we unconditionally do this:
        /* get data and length */
        const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
... even when the target type is GEN_IPADD, in which case the 'ia5' member of the check->d union isn't valid. It's an ASN1_OCTET_STRING instead. You're effectively casting one type of structure to another, and it it starts crashing you get what you deserve.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3000484&group_id=976
Received on 2010-05-12