Ensure that we check the ASN.1 type of an "otherName" before using it

We should not assume that the type of an ASN.1 value is UTF8String as expected. We must actually check it, otherwise we could get a NULL ptr deref, or worse memory errors. Reported by David Benjamin. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16443)
2025-02-17 14:32:04 +08:00 · 2021-08-26 09:43:50 +01:00 · 2021-08-26 09:43:50 +01:00 · c7f8edfc11
commit c7f8edfc11
parent 5595058714
1 changed files with 12 additions and 5 deletions
--- a/crypto/x509/v3_utl.c
+++ b/crypto/x509/v3_utl.c
@ -901,12 +901,19 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
                    NID_id_on_SmtpUTF8Mailbox) {
                    san_present = 1;
+
+                    /*
+                     * If it is not a UTF8String then that is unexpected and we
+                     * treat it as no match
+                     */
+                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
                        cstr = gen->d.otherName->value->value.utf8string;

                        /* Positive on success, negative on error! */
                        if ((rv = do_check_string(cstr, 0, equal, flags,
                                                chk, chklen, peername)) != 0)
                            break;
+                    }
                } else
                    continue;
            } else {