hyc@symas.com wrote:
Steve Langasek wrote:
Given that one of the errors returned by gnutls_x509_crt_get_subject_alt_name() is GNUTLS_E_SHORT_MEMORY_BUFFER, it seems obvious to me that this should use semantics for storage size rather than string length, and the only question in my mind is whether the trailing NUL is included as part of the internal representation of the string.
If this is a behavior change as you say, then I guess we need clarification from GnuTLS upstream about whether this is intentional.
Yes. I've just tested with GnuTLS 2.2.1 and 2.3.0 and see the same result you're seeing. The change is here: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=deaa3ac31c2e...
and it is clearly a bug, since subjectAltName's are not necessarily strings. (E.g., they can also be IP addresses, which are just 4 or 16 octets.) If you notice in the diff, they set *name_size = len + 1; and then later name[len] = 0; but this occurs *after* the check for SHORT_MEMORY_BUFFER. So in fact they can cause a write past the end of the supplied buffer.
This patch should be reverted, it is clearly wrong.
-
hyc@symas.com