New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix heap over-read when parsing x509 certificates #7536
Conversation
You're right on the ground, but I would not fix it by returning a NULL, as zero-length octet/bit strings are valid. Maybe something as:
|
Sure thing. I replaced
|
How about this slight tweak, to
if(n <= (SIZE_T_MAX - 1) / 3) {
size_t len = 3 * n + 1;
buf = malloc(len);
if(buf) {
*buf = '\0';
for(n = 0; beg < end;) {
size_t o = msnprintf(&buf[n], len, "%02x:",
*(const unsigned char *) beg++);
n += o;
len -= o;
}
}
} |
I don't think it's very useful: each |
Sure, my version is just slightly more "defensive" and doesn't assume as much, like that the remaining allocation always fit 4 bytes. I won't insist, but I think that's a better way to write this code. msnprintf() cannot return -1. |
It does: the source of allocation size is the same as the loop count control and overflow cannot occur thanks to the |
If it makes you feel safer, we could also use a dynbuf now that they exist. |
Oh right! Yes I would approve of that. |
Something like:
@z2-2z : Do you want to create a commit for it or would you prefer I do it ? |
The typecast can be removed too now, right? Like: result = Curl_dyn_addf(&buf, "%02x:", beg[0]); |
Don't you fear a possible sign extension? |
The dynbuf code is now included in the pull request |
whoopsie, fixed now |
Thanks! |
The function
encodeDN
inlib/x509asn1.c
has a heap over-read.Root cause:
If
beg == end
, the returned chunk will be uninitialized.The uninitialized chunk gets returned by
ASN1tostr
inencodeDN
:If the chunk doesn't contain a NUL byte,
p3
will go over the chunk boundaries and fillsbuf
with some heap metadata.This can be triggered in two different ways:
Luckily this isn't dangerous at all since the resulting leak is only visible to a client using libcurl.