CVE

CVE-2024-5991

Severity:

Pending analysis

Type:

CWE-125 Out-of-bounds Read

Publication date:

27/08/2024

Last modified:

28/08/2024

Description

In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.

References to Advisories, Solutions, and Tools

https://https://github.com/wolfSSL/wolfssl/pull/7604