[openssl.org #3261] ID1729

[Marian Done via RT]

This bug is still present in lastest release.

Type: bug
Version: openssl-1.0.1f
Operating system: linux x86_64 ( +all )



-- 
-- 
mdone


--- openssl-1.0.1f-a/crypto/x509/by_dir.c	2014-01-06 15:47:42.000000000 +0200
+++ openssl-1.0.1f-b/crypto/x509/by_dir.c	2014-02-10 16:22:02.890588523 +0200
@@ -226,7 +226,11 @@
 			ss=s;
 			s=p+1;
 			len=(int)(p-ss);
-			if (len == 0) continue;
+			if (len == 0) {
+				if ( *p )
+					break;
+				continue;
+			}
 			for (j=0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++)
 				{
 				ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
@@ -234,8 +238,11 @@
 				    strncmp(ent->dir,ss,(unsigned int)len) == 0)
 					break;
 				}
-			if (j < sk_BY_DIR_ENTRY_num(ctx->dirs))
+			if (j < sk_BY_DIR_ENTRY_num(ctx->dirs)) {
+				if ( *p )
+					break;
 				continue;
+			}
 			if (ctx->dirs == NULL)
 				{
 				ctx->dirs = sk_BY_DIR_ENTRY_new_null();

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <sys/mman.h>

char buffer[8192];

int main(void)
{
	SSL_CTX *ssl_ctx;
	char * p = buffer + 4096 - sizeof( "/tmp" );

	SSL_library_init();
	SSL_load_error_strings();
	ssl_ctx = SSL_CTX_new(SSLv23_server_method());
	
	mprotect( buffer+4096, 4096, PROT_READ );

	memcpy( p, "/tmp", sizeof( "/tmp" ) );
	(void) strlen( p );	

	if (!SSL_CTX_load_verify_locations(ssl_ctx, NULL, p )) {
		printf("error = %lu\n", ERR_get_error());
	}
	printf( "now crashing...\n" );
	if (!SSL_CTX_load_verify_locations(ssl_ctx, NULL, p )) {
		printf("error = %lu\n", ERR_get_error());
	}
	printf( "ups! did you fix it? ... sorry\n" );
	
	return 0;
}