Harden QAsn1Element against malicious ASN.1 strings.

We don't currently use this class for critical things like hostname
verification however we still want to ensure that it is not possible
to trick it using ASN.1 strings with embedded NUL characters. This will
avoid problems in the future.

Change-Id: Ibf3bc142a94fc9cad5f06db50f375399a087f9dc
Reviewed-by: Jeremy Lainé <jeremy.laine@m4x.org>
Reviewed-by: Oliver Wolff <oliver.wolff@theqtcompany.com>
Reviewed-by: Daniel Molkentin <daniel@molkentin.de>

2 files changed, 42 insertions, 0 deletions

diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp
index f3f280d863..88f0ffb625 100644
--- a/src/network/ssl/qasn1element.cpp
+++ b/src/network/ssl/qasn1element.cpp
@@ -336,10 +336,15 @@ QByteArray QAsn1Element::toObjectName() const
 
 QString QAsn1Element::toString() const
 {
+    // Detect embedded NULs and reject
+    if (qstrlen(mValue) < uint(mValue.size()))
+        return QString();
+
     if (mType == PrintableStringType || mType == TeletexStringType)
         return QString::fromLatin1(mValue, mValue.size());
     if (mType == Utf8StringType)
         return QString::fromUtf8(mValue, mValue.size());
+
     return QString();
 }
 
diff --git a/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp b/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp
index 30a01cb6f4..11518546a5 100644
--- a/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp
+++ b/tests/auto/network/ssl/qasn1element/tst_qasn1element.cpp
@@ -55,6 +55,8 @@ private slots:
     void octetString();
     void objectIdentifier_data();
     void objectIdentifier();
+    void string_data();
+    void string();
 };
 
 void tst_QAsn1Element::emptyConstructor()
@@ -265,5 +267,40 @@ void tst_QAsn1Element::objectIdentifier()
     QCOMPARE(elem.toObjectName(), name);
 }
 
+void tst_QAsn1Element::string_data()
+{
+    QTest::addColumn<QAsn1Element>("element");
+    QTest::addColumn<QString>("value");
+
+    QTest::newRow("printablestring")
+        << QAsn1Element(QAsn1Element::PrintableStringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+    QTest::newRow("teletextstring")
+        << QAsn1Element(QAsn1Element::TeletexStringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+    QTest::newRow("utf8string")
+        << QAsn1Element(QAsn1Element::Utf8StringType, QByteArray("Hello World"))
+        << QStringLiteral("Hello World");
+
+    // Embedded NULs are not allowed and should be rejected
+    QTest::newRow("evil_printablestring")
+        << QAsn1Element(QAsn1Element::PrintableStringType, QByteArray("Hello\0World", 11))
+        << QString();
+    QTest::newRow("evil_teletextstring")
+        << QAsn1Element(QAsn1Element::TeletexStringType, QByteArray("Hello\0World", 11))
+        << QString();
+    QTest::newRow("evil_utf8string")
+        << QAsn1Element(QAsn1Element::Utf8StringType, QByteArray("Hello\0World", 11))
+        << QString();
+}
+
+void tst_QAsn1Element::string()
+{
+    QFETCH(QAsn1Element, element);
+    QFETCH(QString, value);
+
+    QCOMPARE(element.toString(), value);
+}
+
 QTEST_MAIN(tst_QAsn1Element)
 #include "tst_qasn1element.moc"