gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAlt

From: Nikos Mavrogiannopoulos
Subject: Re: (ITS#5361) cert verification failures with GnuTLS and DNS subjectAltName
Date: Fri, 15 Feb 2008 16:58:46 +0200 
Indeed I'll try to improve this patch to work only for formats known
to be text.

On Fri, Feb 15, 2008 at 12:34 AM, Joe Orton <address@hidden> wrote:
> On Sun, Feb 10, 2008 at 01:58:37AM -0800, Howard Chu wrote:
>  > Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result
>  > you're seeing. The change is here:
>  > 
> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e83c292562ab66c1817c7ebc27048
>  >
>  > and it is clearly a bug, since subjectAltName's are not necessarily
>  > strings. (E.g., they can also be IP addresses, which are just 4 or 16
>  > octets.) If you notice in the diff, they set
>  >        *name_size = len + 1;
>  > and then later
>  >       name[len] = 0;
>  > but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they
>  > can cause a write past the end of the supplied buffer.
>  >
>  > This patch should be reverted, it is clearly wrong.
>
>  FWIW, I agree.  neon's test cases for subjectAltName support are
>  breaking with 2.3.0 as well.  Reverting the changeset Howard referenced
>  fixes the issues.
>
>  joe
>
>
>
>
>  _______________________________________________
>  Gnutls-devel mailing list
>  address@hidden
>  http://lists.gnu.org/mailman/listinfo/gnutls-devel
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]