crypt32: Only accept trailing NULLs in a certificate common name.

2024-11-24 20:30:01 +00:00 · 2012-01-31 08:59:36 -08:00 · 2012-01-31 08:59:36 -08:00 · ab7f8a160f
commit ab7f8a160f
parent 4775c76208
1 changed files with 7 additions and 4 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -3163,10 +3163,6 @@ static BOOL match_domain_component(LPCWSTR allowed_component, DWORD allowed_len,

    *see_wildcard = FALSE;

-    /* permit server_len to be one byte short if allowed_component is NULL terminated */
-    if(allowed_component[allowed_len-1] == 0)
-        allowed_len--;
-
    if (server_len < allowed_len)
    {
        WARN_(chain)("domain component %s too short for %s\n",
@ -3226,6 +3222,13 @@ static BOOL match_common_name(LPCWSTR server_name, const CERT_RDN_ATTR *nameAttr

    TRACE_(chain)("CN = %s\n", debugstr_wn(allowed_component, allowed_len));

+    /* Remove trailing NULLs from the allowed name; while they shouldn't appear
+     * in a certificate in the first place, they sometimes do, and they should
+     * be ignored.
+     */
+    while (allowed_len && allowed_component[allowed_len - 1] == 0)
+      allowed_len--;
+
    /* From RFC 2818 (HTTP over TLS), section 3.1:
     * "Names may contain the wildcard character * which is considered to match
     *  any single domain name component or component fragment. E.g.,