[pve-devel] [PATCH access-control] Catch error instead of segfaulting
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Mar 8 16:17:55 CET 2016
when trying to parse a certificate subject, Net::SSLeay
will segfault in libcrypto when given 0 as input. Catch
this and die with a meaningful error message instead.
---
Note: this should not happen unless people mess with the
certificate files themselves, but better safe than sorry,
especially when the alternative is segfaulting.
PVE/AccessControl.pm | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index db31121..b42797b 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -287,8 +287,15 @@ sub read_x509_subject_spice {
# read x509 subject
my $bio = Net::SSLeay::BIO_new_file($filename, 'r');
+ die "Could not open $filename using OpenSSL\n"
+ if !$bio;
+
my $x509 = Net::SSLeay::PEM_read_bio_X509($bio);
Net::SSLeay::BIO_free($bio);
+
+ die "Could not parse X509 certificate in $filename\n"
+ if !$x509;
+
my $nameobj = Net::SSLeay::X509_get_subject_name($x509);
my $subject = Net::SSLeay::X509_NAME_oneline($nameobj);
Net::SSLeay::X509_free($x509);
--
2.1.4
More information about the pve-devel
mailing list