diff options
| -rw-r--r-- | Changes.rst | 7 | ||||
| -rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 5 |
2 files changed, 11 insertions, 1 deletions
diff --git a/Changes.rst b/Changes.rst index 6fa1c0c..726e591 100644 --- a/Changes.rst +++ b/Changes.rst @@ -318,6 +318,13 @@ Security server. That can eventuall cause the server to run out of memory, and thereby causing the server process to terminate. Discovered and reported to the OpenVPN security team by Guido Vranken. (OpenSSL builds only.) +- CVE-2017-7521: Fix a potential post-authentication remote code execution + attack on servers that use the ``--x509-alt-username`` option with an X.509 + extension field (option argument prefixed with ``ext:``). A client that can + cause a server to run out-of-memory (see above) might be able to cause the + server to double free, which in turn might lead to remote code execution. + Discovered and reported to the OpenVPN security team by Guido Vranken. + (OpenSSL builds only.) User-visible Changes -------------------- diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 08451f2..f9e889f 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -156,7 +156,10 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) switch (name->type) { case GEN_EMAIL: - ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5); + if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0) + { + continue; + } if (strlen(buf) != name->d.ia5->length) { msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero"); |