diff options
| author | tb <> | 2021-12-28 15:49:11 +0000 |
|---|---|---|
| committer | tb <> | 2021-12-28 15:49:11 +0000 |
| commit | 5491024cb5cfc8b5ad8ead3147278f4272d612f9 (patch) | |
| tree | 343271e92f66d637510bdf8086d27cdb16719a8e | |
| parent | 8340c867e544bc54b944619cd264a575571cd5c2 (diff) | |
| download | openbsd-5491024cb5cfc8b5ad8ead3147278f4272d612f9.tar.gz openbsd-5491024cb5cfc8b5ad8ead3147278f4272d612f9.tar.bz2 openbsd-5491024cb5cfc8b5ad8ead3147278f4272d612f9.zip | |
Convert X509v3_adr_get_afi() to CBS
The manual byte bashing is performed more safely using this API
which would have avoided the out-of-bounds read that this API had
until a few years back.
The API is somewhat strange in that it uses the reserved AFI 0 as an
in-band error but it doesn't care about the reserved AFI 65535.
ok inoguchi jsing
| -rw-r--r-- | src/lib/libcrypto/x509/x509_addr.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index bb2e9e5867..64dd830514 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_addr.c,v 1.28 2021/12/25 23:35:25 tb Exp $ */ | 1 | /* $OpenBSD: x509_addr.c,v 1.29 2021/12/28 15:49:11 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -73,6 +73,7 @@ | |||
| 73 | #include <openssl/x509.h> | 73 | #include <openssl/x509.h> |
| 74 | #include <openssl/x509v3.h> | 74 | #include <openssl/x509v3.h> |
| 75 | 75 | ||
| 76 | #include "bytestring.h" | ||
| 76 | #include "x509_lcl.h" | 77 | #include "x509_lcl.h" |
| 77 | 78 | ||
| 78 | #ifndef OPENSSL_NO_RFC3779 | 79 | #ifndef OPENSSL_NO_RFC3779 |
| @@ -330,16 +331,30 @@ length_from_afi(const unsigned afi) | |||
| 330 | 331 | ||
| 331 | /* | 332 | /* |
| 332 | * Extract the AFI from an IPAddressFamily. | 333 | * Extract the AFI from an IPAddressFamily. |
| 334 | * | ||
| 335 | * This is public API. It uses the reserved AFI 0 as an in-band error | ||
| 336 | * while it doesn't care about the reserved AFI 65535... | ||
| 333 | */ | 337 | */ |
| 334 | unsigned int | 338 | unsigned int |
| 335 | X509v3_addr_get_afi(const IPAddressFamily *f) | 339 | X509v3_addr_get_afi(const IPAddressFamily *f) |
| 336 | { | 340 | { |
| 337 | if (f == NULL || | 341 | CBS cbs; |
| 338 | f->addressFamily == NULL || | 342 | uint16_t afi; |
| 339 | f->addressFamily->data == NULL || | 343 | |
| 340 | f->addressFamily->length < 2) | 344 | /* |
| 345 | * XXX are these NULL checks really sensible? If f is non-NULL, it | ||
| 346 | * should have both addressFamily and ipAddressChoice... | ||
| 347 | */ | ||
| 348 | if (f == NULL || f->addressFamily == NULL || | ||
| 349 | f->addressFamily->data == NULL) | ||
| 341 | return 0; | 350 | return 0; |
| 342 | return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1]; | 351 | |
| 352 | CBS_init(&cbs, f->addressFamily->data, f->addressFamily->length); | ||
| 353 | |||
| 354 | if (!CBS_get_u16(&cbs, &afi)) | ||
| 355 | return 0; | ||
| 356 | |||
| 357 | return afi; | ||
| 343 | } | 358 | } |
| 344 | 359 | ||
| 345 | /* | 360 | /* |