dovecot-2.0: ssl_username_from_cert=yes: Don't truncate username...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.0/rev/89a3b2d09a26
changeset: 9723:89a3b2d09a26
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Aug 04 14:54:36 2009 -0400
description:
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.

diffstat:

1 file changed, 16 insertions(+), 6 deletions(-)
src/login-common/ssl-proxy-openssl.c |   22 ++++++++++++++++------

diffs (40 lines):

diff -r 497b2f2bd175 -r 89a3b2d09a26 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Tue Aug 04 14:35:21 2009 -0400
+++ b/src/login-common/ssl-proxy-openssl.c	Tue Aug 04 14:54:36 2009 -0400
@@ -609,8 +609,8 @@ const char *ssl_proxy_get_peer_name(stru
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
 {
 	X509 *x509;
-	char buf[1024];
-	const char *name;
+	char *name;
+	int len;
 
 	if (!ssl_proxy_has_valid_client_cert(proxy))
 		return NULL;
@@ -619,11 +619,21 @@ const char *ssl_proxy_get_peer_name(stru
 	if (x509 == NULL)
 		return NULL; /* we should have had it.. */
 
-	if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
-				      ssl_username_nid, buf, sizeof(buf)) < 0)
+	len = X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
+					ssl_username_nid, NULL, 0);
+	if (len < 0)
 		name = "";
-	else
-		name = t_strndup(buf, sizeof(buf));
+	else {
+		name = t_malloc(len + 1);
+		if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
+					ssl_username_nid, name, len + 1) < 0)
+			name = "";
+		else if (strlen(name) != (size_t)len) {
+			/* NUL characters in name. Someone's trying to fake
+			   being another user? Don't allow it. */
+			name = "";
+		}
+	}
 	X509_free(x509);
 	
 	return *name == '\0' ? NULL : name;