CVE-2024-5991
Buffer overread in domain name matching
In short
A security check function in wolfSSL reads beyond the boundaries of a user-provided buffer when checking domain names, potentially exposing sensitive data from memory. This happens because the function assumes the input string ends with a null terminator, even when it doesn't.
Technical detail
CWE-125 out-of-bounds read in MatchDomainName() function: X509_check_host() accepts a pointer and length parameter but internally treats input as NULL-terminated without validation, causing buffer overread when processing non-terminated buffers. Remote attackers can trigger information disclosure by providing crafted certificate data to affected wolfSSL versions through 5.7.0.
Summary generated and translated by AI from the official description.
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
wolfSSL · wolfSSLWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →