[[EMAIL PROTECTED] - Wed Aug 21 22:14:01 2002]:
> Dear OpenSSL Team, > > Our company is the market leader on X509 certificate issuance in > Hungary. For some functions we use OpenSSL products and we have found > a > problem in the recently issued OpenSSL versions that we would like to > share. > > > op=d2i_ASN1_OBJECT(NULL,&p,i); --> this should be > op=d2i_ASN1_OBJECT(NULL,&p,j); > ... > > In the code snippet above the "i" variable contains the length of the > object content while the "j" variable contains the whole asn1 > structure > length. So I assume in the "d2i_ASN1_OBJECT" fuction call the "j" > variable should be given instead of the "i" one as in the other d2i... > kinda functions. This length parameter is used for buffer size > checking > later in the "ASN1_get_object" function: > Yes that's correct. This bug has always been present but the old ASN1_get_object could read past the end of the supplied buffer so it wasn't caught until now. A fix has already been checked into the 0.9.6-stable branch. It is also possible to work around this bug by using the OBJ_create and OBJ_nid2obj functions instead. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
