diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-17 09:40:13 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-17 09:40:13 +0000 |
| commit | ca6f0ad926d2fabed66a049927cea2eb176581da (patch) | |
| tree | f8628a402e4a6f4f81be2b2963724e80c4a92e67 /main/openswan/openswan-libreswan-backport-949437-x509dn.patch | |
| parent | 8b2da88e8e533e78dfec86f9d1ed4e5cadfa4ca8 (diff) | |
| download | aports-ca6f0ad926d2fabed66a049927cea2eb176581da.tar.bz2 aports-ca6f0ad926d2fabed66a049927cea2eb176581da.tar.xz | |
main/openswan: securiy fix remote buffer overflow in atodn() (CVE-2013-2053)
patches are from http://libreswan.org/security/CVE-2013-2053/
fixes #1895
Diffstat (limited to 'main/openswan/openswan-libreswan-backport-949437-x509dn.patch')
| -rw-r--r-- | main/openswan/openswan-libreswan-backport-949437-x509dn.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/main/openswan/openswan-libreswan-backport-949437-x509dn.patch b/main/openswan/openswan-libreswan-backport-949437-x509dn.patch new file mode 100644 index 0000000000..2d41293771 --- /dev/null +++ b/main/openswan/openswan-libreswan-backport-949437-x509dn.patch @@ -0,0 +1,79 @@ +diff --git a/lib/libopenswan/x509dn.c b/lib/libopenswan/x509dn.c +index 7731856..43c4bb5 100644 +--- a/lib/libopenswan/x509dn.c ++++ b/lib/libopenswan/x509dn.c +@@ -477,11 +477,25 @@ static const x501rdn_t x501rdns[] = { + /* Maximum length of ASN.1 distinquished name */ + #define ASN1_BUF_LEN 512 + ++static void format_chunk(chunk_t *ch, const char *format, ...) PRINTF_LIKE(2); ++ + static void +-update_chunk(chunk_t *ch, int n) ++format_chunk(chunk_t *ch, const char *format, ...) + { +- n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1; +- ch->ptr += n; ch->len -= n; ++ if (ch->len > 0) { ++ size_t len = ch->len; ++ va_list args; ++ va_start(args, format); ++ int ret = vsnprintf((char *)ch->ptr, len, format, args); ++ va_end(args); ++ if (ret < 0 || ret > len) { ++ ch->ptr += len; ++ ch->len = 0; ++ } else { ++ ch->ptr += ret; ++ ch->len -= ret; ++ } ++ } + } + + +@@ -612,9 +626,7 @@ dn_parse(chunk_t dn, chunk_t *str) + err_t ugh; + + if(dn.ptr == NULL) { +- const char *e = "(empty)"; +- strncpy((char *)str->ptr, e, str->len); +- update_chunk(str, strlen(e)); ++ format_chunk(str, "(empty)"); + return NULL; + } + ugh = init_rdn(dn, &rdn, &attribute, &next); +@@ -632,19 +644,17 @@ dn_parse(chunk_t dn, chunk_t *str) + if (first) /* first OID/value pair */ + first = FALSE; + else /* separate OID/value pair by a comma */ +- update_chunk(str, snprintf((char *)str->ptr,str->len,", ")); ++ format_chunk(str, ", "); + + /* print OID */ + oid_code = known_oid(oid); + if (oid_code == OID_UNKNOWN) /* OID not found in list */ + hex_str(oid, str); + else +- update_chunk(str, snprintf((char *)str->ptr,str->len,"%s", +- oid_names[oid_code].name)); ++ format_chunk(str, "%s", oid_names[oid_code].name); + + /* print value */ +- update_chunk(str, snprintf((char *)str->ptr,str->len,"=%.*s", +- (int)value.len,value.ptr)); ++ format_chunk(str, "=%.*s", (int)value.len, value.ptr); + } + return NULL; + } +@@ -684,9 +694,9 @@ void + hex_str(chunk_t bin, chunk_t *str) + { + u_int i; +- update_chunk(str, snprintf((char *)str->ptr,str->len,"0x")); ++ format_chunk(str, "0x"); + for (i=0; i < bin.len; i++) +- update_chunk(str, snprintf((char *)str->ptr,str->len,"%02X",*bin.ptr++)); ++ format_chunk(str, "%02X", *bin.ptr++); + } + + |