Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 6
buffer weakness #4

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

libesmtp-1.0.4/smtp-tls.c

Context:

The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 buffer weakness.

 
	      do
		{
		  idx = i;
		  i = X509_NAME_get_index_by_NID (subj, NID_commonName, i);
		}
	      while (i >= 0);

	      if (idx >= 0
		  && (cn = X509_NAME_ENTRY_get_data (
						X509_NAME_get_entry (subj, idx)
						     )) != NULL)
		{
		  unsigned char *str = NULL;
		  int len = ASN1_STRING_to_UTF8 (&str, cn);

		  if (str != NULL)
		    {
		      if (strlen ((char *) str) == len
			  && match_domain (session->host, (char *) str))
			ok = 1;
		      else
			{
			  buf[0] = '\0';
			  strncat (buf, (char *) str, sizeof buf - 1);
			}
		      OPENSSL_free (str);
		    }
		}
	    }
	}

      if (!ok && session->event_cb != NULL)
	(*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE,
			      session->event_cb_arg, &ok, buf, ssl);

      X509_free (cert);
    }
  return ok;
}

void
cmd_starttls (siobuf_t conn, smtp_session_t session)
{
  sio_write (conn, "STARTTLS\r\n", -1);
  session->cmd_state = -1;
}

void
rsp_starttls (siobuf_t conn, smtp_session_t session) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.