x509asn1: Fix SAN IP address verification

For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
2025-03-13 15:37:04 +08:00 · 2018-10-15 16:27:28 +01:00 · 2018-10-15 16:27:28 +01:00 · df54b14fb7
commit df54b14fb7
parent 03186b1187
1 changed files with 2 additions and 2 deletions
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@ -1131,8 +1131,8 @@ CURLcode Curl_verifyhost(struct connectdata *conn,
          break;

        case 7: /* IP address. */
-          matched = (size_t) (name.end - q) == addrlen &&
-                    !memcmp(&addr, q, addrlen);
+          matched = (size_t) (name.end - name.beg) == addrlen &&
+                    !memcmp(&addr, name.beg, addrlen);
          break;
        }
      }