blob: 409f9a7f1789652b48131be01e00ee8687b61b37 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
Fix: CVE-2015-3455
------------------------------------------------------------
revno: 13222
revision-id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
parent: squid3@treenet.co.nz-20150501071104-vd21fu43lvmqoqwa
author: Amos Jeffries <amosjeffries@squid-cache.org>, Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.4
timestamp: Fri 2015-05-01 00:16:51 -0700
message:
Fix X509 server certificate domain matching
The X509 certificate domain fields may contain non-ASCII encodings.
Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
strings.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# testament_sha1: e38694c3e222c506740510557d2a7a122786225c
# timestamp: 2015-05-01 07:17:25 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
# base_revision_id: squid3@treenet.co.nz-20150501071104-\
# vd21fu43lvmqoqwa
#
# Begin patch
Upstream-Status: Backport
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch
Signed-off-by: Armin Kuster <akuster@mvista.com>
=== modified file 'src/ssl/support.cc'
--- a/src/ssl/support.cc 2015-01-24 05:07:58 +0000
+++ b/src/ssl/support.cc 2015-05-01 07:16:51 +0000
@@ -209,7 +209,13 @@
if (cn_data->length > (int)sizeof(cn) - 1) {
return 1; //if does not fit our buffer just ignore
}
- memcpy(cn, cn_data->data, cn_data->length);
+ char *s = reinterpret_cast<char*>(cn_data->data);
+ char *d = cn;
+ for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
+ if (*s == '\0')
+ return 1; // always a domain mismatch. contains 0x00
+ *d = *s;
+ }
cn[cn_data->length] = '\0';
debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);
|
