diff -Naur openswan-2.6.32-orig/include/asn1.h openswan-2.6.32/include/asn1.h --- openswan-2.6.32-orig/include/asn1.h 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/include/asn1.h 2013-04-24 13:11:05.799140126 -0400 @@ -84,8 +84,10 @@ #define ASN1_BODY 0x20 #define ASN1_RAW 0x40 -#define ASN1_INVALID_LENGTH 0xffffffff +#define ASN1_INVALID_LENGTH (~(size_t) 0) /* largest size_t */ +#define ASN1_MAX_LEN (1U << (8*3)) /* don't handle objects with length greater than this */ +#define ASN1_MAX_LEN_LEN 4 /* no coded length takes more than 4 bytes. */ /* definition of an ASN.1 object */ diff -Naur openswan-2.6.32-orig/include/id.h openswan-2.6.32/include/id.h --- openswan-2.6.32-orig/include/id.h 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/include/id.h 2013-04-24 13:11:05.799140126 -0400 @@ -46,7 +46,7 @@ extern const struct id *resolve_myid(const struct id *id); extern void set_myFQDN(void); -extern err_t atoid(char *src, struct id *id, bool myid_ok); +extern err_t atoid(char *src, struct id *id, bool myid_ok, bool oe_only); extern void iptoid(const ip_address *ip, struct id *id); extern unsigned char* temporary_cyclic_buffer(void); extern int idtoa(const struct id *id, char *dst, size_t dstlen); diff -Naur openswan-2.6.32-orig/lib/libopenswan/id.c openswan-2.6.32/lib/libopenswan/id.c --- openswan-2.6.32-orig/lib/libopenswan/id.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/lib/libopenswan/id.c 2013-04-24 13:11:05.799140126 -0400 @@ -57,27 +57,29 @@ /* Convert textual form of id into a (temporary) struct id. * Note that if the id is to be kept, unshare_id_content will be necessary. + * This function should be split into parts so the boolean arguments can be + * removed -- Paul */ err_t -atoid(char *src, struct id *id, bool myid_ok) +atoid(char *src, struct id *id, bool myid_ok, bool oe_only) { err_t ugh = NULL; *id = empty_id; - if (myid_ok && streq("%myid", src)) + if (!oe_only && myid_ok && streq("%myid", src)) { id->kind = ID_MYID; } - else if (streq("%fromcert", src)) + else if (!oe_only && streq("%fromcert", src)) { id->kind = ID_FROMCERT; } - else if (streq("%none", src)) + else if (!oe_only && streq("%none", src)) { id->kind = ID_NONE; } - else if (strchr(src, '=') != NULL) + else if (!oe_only && strchr(src, '=') != NULL) { /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN */ id->kind = ID_DER_ASN1_DN; @@ -111,7 +113,7 @@ { if (*src == '@') { - if (*(src+1) == '#') + if (!oe_only && *(src+1) == '#') { /* if there is a second specifier (#) on the line * we interprete this as ID_KEY_ID @@ -122,7 +124,7 @@ ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr , strlen(src), &id->name.len); } - else if (*(src+1) == '~') + else if (!oe_only && *(src+1) == '~') { /* if there is a second specifier (~) on the line * we interprete this as a binary ID_DER_ASN1_DN @@ -133,7 +135,7 @@ ugh = ttodata(src+2, 0, 16, (char *)id->name.ptr , strlen(src), &id->name.len); } - else if (*(src+1) == '[') + else if (!oe_only && *(src+1) == '[') { /* if there is a second specifier ([) on the line * we interprete this as a text ID_KEY_ID, and we remove diff -Naur openswan-2.6.32-orig/lib/libopenswan/secrets.c openswan-2.6.32/lib/libopenswan/secrets.c --- openswan-2.6.32-orig/lib/libopenswan/secrets.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/lib/libopenswan/secrets.c 2013-04-24 13:11:05.800140140 -0400 @@ -1299,7 +1299,7 @@ } else { - ugh = atoid(flp->tok, &id, FALSE); + ugh = atoid(flp->tok, &id, FALSE, FALSE); } if (ugh != NULL) diff -Naur openswan-2.6.32-orig/lib/libopenswan/x509dn.c openswan-2.6.32/lib/libopenswan/x509dn.c --- openswan-2.6.32-orig/lib/libopenswan/x509dn.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/lib/libopenswan/x509dn.c 2013-04-24 13:11:05.801140153 -0400 @@ -476,7 +476,7 @@ {"TCGID" , {oid_TCGID, 12}, ASN1_PRINTABLESTRING} }; -#define X501_RDN_ROOF 24 +#define X501_RDN_ROOF elemsof(x501rdns) /* Maximum length of ASN.1 distinquished name */ #define ASN1_BUF_LEN 512 @@ -746,11 +746,11 @@ UNKNOWN_OID = 4 } state_t; - u_char oid_len_buf[3]; - u_char name_len_buf[3]; - u_char rdn_seq_len_buf[3]; - u_char rdn_set_len_buf[3]; - u_char dn_seq_len_buf[3]; + u_char oid_len_buf[ASN1_MAX_LEN_LEN]; + u_char name_len_buf[ASN1_MAX_LEN_LEN]; + u_char rdn_seq_len_buf[ASN1_MAX_LEN_LEN]; + u_char rdn_set_len_buf[ASN1_MAX_LEN_LEN]; + u_char dn_seq_len_buf[ASN1_MAX_LEN_LEN]; chunk_t asn1_oid_len = { oid_len_buf, 0 }; chunk_t asn1_name_len = { name_len_buf, 0 }; @@ -768,7 +768,7 @@ err_t ugh = NULL; - u_char *dn_ptr = dn->ptr + 4; + u_char *dn_ptr = dn->ptr + 1 + ASN1_MAX_LEN_LEN; /* leave room for prefix */ state_t state = SEARCH_OID; @@ -841,25 +841,37 @@ code_asn1_length(rdn_set_len, &asn1_rdn_set_len); /* encode the relative distinguished name */ - *dn_ptr++ = ASN1_SET; - chunkcpy(dn_ptr, asn1_rdn_set_len); - *dn_ptr++ = ASN1_SEQUENCE; - chunkcpy(dn_ptr, asn1_rdn_seq_len); - *dn_ptr++ = ASN1_OID; - chunkcpy(dn_ptr, asn1_oid_len); - chunkcpy(dn_ptr, x501rdns[pos].oid); - /* encode the ASN.1 character string type of the name */ - *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING - && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type; - chunkcpy(dn_ptr, asn1_name_len); - chunkcpy(dn_ptr, name); - - /* accumulate the length of the distinguished name sequence */ - dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len; - - /* reset name and change state */ - name = empty_chunk; - state = SEARCH_OID; + if (IDTOA_BUF < dn_ptr - dn->ptr + + 1 + asn1_rdn_set_len.len /* set */ + + 1 + asn1_rdn_seq_len.len /* sequence */ + + 1 + asn1_oid_len.len + x501rdns[pos].oid.len /* oid len, oid */ + + 1 + asn1_name_len.len + name.len /* type name */ + ) { + /* no room! */ + ugh = "DN is too big"; + state = UNKNOWN_OID; + /* I think that it is safe to continue (but perhaps pointless) */ + } else { + *dn_ptr++ = ASN1_SET; + chunkcpy(dn_ptr, asn1_rdn_set_len); + *dn_ptr++ = ASN1_SEQUENCE; + chunkcpy(dn_ptr, asn1_rdn_seq_len); + *dn_ptr++ = ASN1_OID; + chunkcpy(dn_ptr, asn1_oid_len); + chunkcpy(dn_ptr, x501rdns[pos].oid); + /* encode the ASN.1 character string type of the name */ + *dn_ptr++ = (x501rdns[pos].type == ASN1_PRINTABLESTRING + && !is_printablestring(name))? ASN1_T61STRING : x501rdns[pos].type; + chunkcpy(dn_ptr, asn1_name_len); + chunkcpy(dn_ptr, name); + + /* accumulate the length of the distinguished name sequence */ + dn_seq_len += 1 + asn1_rdn_set_len.len + rdn_set_len; + + /* reset name and change state */ + name = empty_chunk; + state = SEARCH_OID; + } } break; case UNKNOWN_OID: @@ -867,9 +879,10 @@ } } while (*src++ != '\0'); - /* complete the distinguished name sequence*/ - code_asn1_length(dn_seq_len, &asn1_dn_seq_len); - dn->ptr += 3 - asn1_dn_seq_len.len; + /* complete the distinguished name sequence: prefix it with ASN1_SEQUENCE and length */ + + code_asn1_length((size_t)dn_seq_len, &asn1_dn_seq_len); + dn->ptr += ASN1_MAX_LEN_LEN + 1 - 1 - asn1_dn_seq_len.len; dn->len = 1 + asn1_dn_seq_len.len + dn_seq_len; dn_ptr = dn->ptr; *dn_ptr++ = ASN1_SEQUENCE; diff -Naur openswan-2.6.32-orig/programs/pluto/connections.c openswan-2.6.32/programs/pluto/connections.c --- openswan-2.6.32-orig/programs/pluto/connections.c 2013-04-24 13:10:30.520656796 -0400 +++ openswan-2.6.32/programs/pluto/connections.c 2013-04-24 13:11:05.802140167 -0400 @@ -891,7 +891,7 @@ } else { - err_t ugh = atoid(src->id, &dst->id, TRUE); + err_t ugh = atoid(src->id, &dst->id, TRUE, FALSE); if (ugh != NULL) { diff -Naur openswan-2.6.32-orig/programs/pluto/dnskey.c openswan-2.6.32/programs/pluto/dnskey.c --- openswan-2.6.32-orig/programs/pluto/dnskey.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/programs/pluto/dnskey.c 2013-04-24 13:11:05.803140181 -0400 @@ -289,8 +289,12 @@ if (*p == '@') { /* gateway specification in this record is @FQDN */ - err_t ugh = atoid(p, gw_id, FALSE); + if(strspn(p," ") >= IDTOA_BUF) { + return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": ID too large for IDTOA_BUF"); + } + + err_t ugh = atoid(p, gw_id, FALSE, TRUE); /* only run OE related parts of atoid() */ if (ugh != NULL) return builddiag("malformed FQDN in TXT " our_TXT_attr_string ": %s" , ugh); diff -Naur openswan-2.6.32-orig/programs/pluto/myid.c openswan-2.6.32/programs/pluto/myid.c --- openswan-2.6.32-orig/programs/pluto/myid.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/programs/pluto/myid.c 2013-04-24 13:11:05.803140181 -0400 @@ -103,7 +103,7 @@ if (idstr != NULL) { struct id id; - err_t ugh = atoid(idstr, &id, FALSE); + err_t ugh = atoid(idstr, &id, FALSE, FALSE); if (ugh != NULL) { diff -Naur openswan-2.6.32-orig/programs/pluto/rcv_whack.c openswan-2.6.32/programs/pluto/rcv_whack.c --- openswan-2.6.32-orig/programs/pluto/rcv_whack.c 2013-04-24 13:10:30.392655041 -0400 +++ openswan-2.6.32/programs/pluto/rcv_whack.c 2013-04-24 13:11:05.803140181 -0400 @@ -243,7 +243,7 @@ key_add_request(const struct whack_message *msg) { struct id keyid; - err_t ugh = atoid(msg->keyid, &keyid, FALSE); + err_t ugh = atoid(msg->keyid, &keyid, FALSE, FALSE); if (ugh != NULL) { diff -Naur openswan-2.6.32-orig/programs/showhostkey/showhostkey.c openswan-2.6.32/programs/showhostkey/showhostkey.c --- openswan-2.6.32-orig/programs/showhostkey/showhostkey.c 2010-12-17 20:23:54.000000000 -0500 +++ openswan-2.6.32/programs/showhostkey/showhostkey.c 2013-04-24 13:11:05.804140194 -0400 @@ -208,7 +208,7 @@ struct secret *s; err_t e; - e = atoid(idname, &id, FALSE); + e = atoid(idname, &id, FALSE, FALSE); if(e) { printf("%s: key '%s' is invalid\n", progname, idname); exit(4);