From df54b14fb77bc7f62f31971ed8bb26ec24bf27d5 Mon Sep 17 00:00:00 2001
From: Matthew Whitehead <matthew1001@gmail.com>
Date: Mon, 15 Oct 2018 16:27:28 +0100
Subject: x509asn1: Fix SAN IP address verification

For IP addresses in the subject alternative name field, the length
of the IP address (and hence the number of bytes to perform a
memcmp on) is incorrectly calculated to be zero. The code previously
subtracted q from name.end. where in a successful case q = name.end
and therefore addrlen equalled 0. The change modifies the code to
subtract name.beg from name.end to calculate the length correctly.

The issue only affects libcurl with GSKit SSL, not other SSL backends.
The issue is not a security issue as IP verification would always fail.

Fixes #3102
Closes #3141
---
 lib/x509asn1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib')

diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index fc51e02f4..a0be23d61 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -1131,8 +1131,8 @@ CURLcode Curl_verifyhost(struct connectdata *conn,
           break;
 
         case 7: /* IP address. */
-          matched = (size_t) (name.end - q) == addrlen &&
-                    !memcmp(&addr, q, addrlen);
+          matched = (size_t) (name.end - name.beg) == addrlen &&
+                    !memcmp(&addr, name.beg, addrlen);
           break;
         }
       }
-- 
cgit v1.2.3