Harden QAsn1Element against malicious ASN.1 strings.

We don't currently use this class for critical things like hostname verification however we still want to ensure that it is not possible to trick it using ASN.1 strings with embedded NUL characters. This will avoid problems in the future. Change-Id: Ibf3bc142a94fc9cad5f06db50f375399a087f9dc Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org> Reviewed-by: Oliver Wolff <oliver.wolff@theqtcompany.com> Reviewed-by: Daniel Molkentin <daniel@molkentin.de>
2015-01-31 14:44:14 +00:00 · 2015-01-31 14:44:14 +00:00 · 3bc5f8c081
commit 3bc5f8c081
parent b10fa67605
2 changed files with 42 additions and 0 deletions
--- a/src/network/ssl/qasn1element.cpp
+++ b/src/network/ssl/qasn1element.cpp
@ -336,10 +336,15 @@ QByteArray QAsn1Element::toObjectName() const

 QString QAsn1Element::toString() const
 {
+    // Detect embedded NULs and reject
+    if (qstrlen(mValue) < uint(mValue.size()))
+        return QString();
+
    if (mType == PrintableStringType || mType == TeletexStringType)
        return QString::fromLatin1(mValue, mValue.size());
    if (mType == Utf8StringType)
        return QString::fromUtf8(mValue, mValue.size());
+
    return QString();
 }

--- a/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp
+++ b/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp
@ -55,6 +55,8 @@ private slots:
    void octetString();
    void objectIdentifier_data();
    void objectIdentifier();
+    void string_data();
+    void string();
 };

 void tst_QAsn1Element::emptyConstructor()
@ -265,5 +267,40 @@ void tst_QAsn1Element::objectIdentifier()
    QCOMPARE(elem.toObjectName(), name);
 }

+void tst_QAsn1Element::string_data()
+{
+    QTest::addColumn<QAsn1Element>("element");
+    QTest::addColumn<QString>("value");
+
+    QTest::newRow("printablestring")
+        << QAsn1Element(QAsn1Element::PrintableStringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+    QTest::newRow("teletextstring")
+        << QAsn1Element(QAsn1Element::TeletexStringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+    QTest::newRow("utf8string")
+        << QAsn1Element(QAsn1Element::Utf8StringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+
+    // Embedded NULs are not allowed and should be rejected
+    QTest::newRow("evil_printablestring")
+        << QAsn1Element(QAsn1Element::PrintableStringType, QByteArray("Hello\0World", 11))
+        << QString();
+    QTest::newRow("evil_teletextstring")
+        << QAsn1Element(QAsn1Element::TeletexStringType, QByteArray("Hello\0World", 11))
+        << QString();
+    QTest::newRow("evil_utf8string")
+        << QAsn1Element(QAsn1Element::Utf8StringType, QByteArray("Hello\0World", 11))
+        << QString();
+}
+
+void tst_QAsn1Element::string()
+{
+    QFETCH(QAsn1Element, element);
+    QFETCH(QString, value);
+
+    QCOMPARE(element.toString(), value);
+}
+
 QTEST_MAIN(tst_QAsn1Element)
 #include "tst_qasn1element.moc"