From 147184381e5159be2f7f3375931a5d41db208416 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Tue, 4 Aug 2009 00:57:35 +0200
Subject: [PATCH] Check for NUL in the middle of the string

---
 lib/asn1/der_get.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/lib/asn1/der_get.c b/lib/asn1/der_get.c
index bc193fde4..c3a573cc0 100644
--- a/lib/asn1/der_get.c
+++ b/lib/asn1/der_get.c
@@ -200,6 +200,13 @@ der_get_bmp_string (const unsigned char *p, size_t len,
     for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 8) | p[1];
 	p += 2;
+	/* check for NUL in the middle of the string */
+	if (data->data[i] == 0 && i != (data->length - 1)) {
+	    free(data->data);
+	    data->data = NULL;
+	    data->length = 0;
+	    return ASN1_BAD_CHARACTER;
+	}
     }
     if (size) *size = len;
 
@@ -224,6 +231,13 @@ der_get_universal_string (const unsigned char *p, size_t len,
     for (i = 0; i < data->length; i++) {
 	data->data[i] = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
 	p += 4;
+	/* check for NUL in the middle of the string */
+	if (data->data[i] == 0 && i != (data->length - 1)) {
+	    free(data->data);
+	    data->data = NULL;
+	    data->length = 0;
+	    return ASN1_BAD_CHARACTER;
+	}
     }
     if (size) *size = len;
     return 0;