Restrict the length of openssl conf value string

There was no limitation for the length of openssl conf value.
This brings possibility of out-of-memory problem as oss-fuzz had detected.
This diff restricts the length of conf value up to 64k.

ok jsing@

3 files changed, 14 insertions, 5 deletions

diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h
index 095066d31b..bea6a87197 100644
--- a/src/lib/libcrypto/conf/conf.h
+++ b/src/lib/libcrypto/conf/conf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.h,v 1.14 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -241,6 +241,7 @@ void ERR_load_CONF_strings(void);
 #define CONF_R_NO_VALUE                                  108
 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION              103
 #define CONF_R_UNKNOWN_MODULE_NAME                       113
+#define CONF_R_VARIABLE_EXPANSION_TOO_LONG               116
 #define CONF_R_VARIABLE_HAS_NO_VALUE                     104
 
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 4099ffc66c..f2b2c9477b 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_def.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: conf_def.c,v 1.33 2020/02/17 12:51:48 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,6 +70,8 @@
 
 #include "conf_def.h"
 
+#define MAX_CONF_VALUE_LENGTH 65536
+
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
 static void clear_comments(CONF *conf, char *p);
@@ -455,6 +457,7 @@ str_copy(CONF *conf, char *section, char **pto, char *from)
 {
         int q, r,rr = 0, to = 0, len = 0;
         char *s, *e, *rp, *p, *rrp, *np, *cp, v;
+        size_t newsize;
         BUF_MEM *buf;
 
         if ((buf = BUF_MEM_new()) == NULL)
@@ -563,8 +566,12 @@ str_copy(CONF *conf, char *section, char **pto, char *from)
                                 CONFerror(CONF_R_VARIABLE_HAS_NO_VALUE);
                                 goto err;
                         }
-                        if (!BUF_MEM_grow_clean(buf,
-                                (strlen(p) + buf->length - (e - from)))) {
+                        newsize = strlen(p) + buf->length - (e - from);
+                        if (newsize > MAX_CONF_VALUE_LENGTH) {
+                                CONFerror(CONF_R_VARIABLE_EXPANSION_TOO_LONG);
+                                goto err;
+                        }
+                        if (!BUF_MEM_grow_clean(buf, newsize)) {
                                 CONFerror(CONF_R_MODULE_INITIALIZATION_ERROR);
                                 goto err;
                         }
diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c
index dbb373ae85..1e5eaff60e 100644
--- a/src/lib/libcrypto/conf/conf_err.c
+++ b/src/lib/libcrypto/conf/conf_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_err.c,v 1.13 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -92,6 +92,7 @@ static ERR_STRING_DATA CONF_str_reasons[]= {
         {ERR_REASON(CONF_R_NO_VALUE)             , "no value"},
         {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"},
         {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME)  , "unknown module name"},
+        {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG), "variable expansion too long"},
         {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"},
         {0, NULL}
 };