diff options
| author | deraadt <> | 2021-09-26 14:07:09 +0000 |
|---|---|---|
| committer | deraadt <> | 2021-09-26 14:07:09 +0000 |
| commit | a1d75ef500e825541180bdb19831512601dd5a76 (patch) | |
| tree | 9a5c4bb124b8307001aa26f467fdb657d3f47c6e | |
| parent | 5a34adb042399d80d343b9a7e7a0e6873f5e0c49 (diff) | |
| download | openbsd-a1d75ef500e825541180bdb19831512601dd5a76.tar.gz openbsd-a1d75ef500e825541180bdb19831512601dd5a76.tar.bz2 openbsd-a1d75ef500e825541180bdb19831512601dd5a76.zip | |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
this is 6.8 errata 031
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 5659d6e6a7..f84013e299 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.10 2020/09/21 05:41:43 tb Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.10.4.1 2021/09/26 14:07:09 deraadt Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -323,16 +323,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 323 | if (c == '.') | 323 | if (c == '.') |
| 324 | goto bad; | 324 | goto bad; |
| 325 | } | 325 | } |
| 326 | if (wi > DOMAIN_PART_MAX_LEN) | ||
| 327 | goto bad; | ||
| 328 | if (accept) { | 326 | if (accept) { |
| 327 | if (wi >= DOMAIN_PART_MAX_LEN) | ||
| 328 | goto bad; | ||
| 329 | working[wi++] = c; | 329 | working[wi++] = c; |
| 330 | accept = 0; | 330 | accept = 0; |
| 331 | continue; | 331 | continue; |
| 332 | } | 332 | } |
| 333 | if (candidate_local != NULL) { | 333 | if (candidate_local != NULL) { |
| 334 | /* We are looking for the domain part */ | 334 | /* We are looking for the domain part */ |
| 335 | if (wi > DOMAIN_PART_MAX_LEN) | 335 | if (wi >= DOMAIN_PART_MAX_LEN) |
| 336 | goto bad; | 336 | goto bad; |
| 337 | working[wi++] = c; | 337 | working[wi++] = c; |
| 338 | if (i == len - 1) { | 338 | if (i == len - 1) { |
| @@ -347,7 +347,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 347 | continue; | 347 | continue; |
| 348 | } | 348 | } |
| 349 | /* We are looking for the local part */ | 349 | /* We are looking for the local part */ |
| 350 | if (wi > LOCAL_PART_MAX_LEN) | 350 | if (wi >= LOCAL_PART_MAX_LEN) |
| 351 | break; | 351 | break; |
| 352 | 352 | ||
| 353 | if (quoted) { | 353 | if (quoted) { |
| @@ -367,6 +367,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 367 | */ | 367 | */ |
| 368 | if (c == 9) | 368 | if (c == 9) |
| 369 | goto bad; | 369 | goto bad; |
| 370 | if (wi >= LOCAL_PART_MAX_LEN) | ||
| 371 | goto bad; | ||
| 370 | working[wi++] = c; | 372 | working[wi++] = c; |
| 371 | continue; /* all's good inside our quoted string */ | 373 | continue; /* all's good inside our quoted string */ |
| 372 | } | 374 | } |
| @@ -396,6 +398,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 396 | } | 398 | } |
| 397 | if (!local_part_ok(c)) | 399 | if (!local_part_ok(c)) |
| 398 | goto bad; | 400 | goto bad; |
| 401 | if (wi >= LOCAL_PART_MAX_LEN) | ||
| 402 | goto bad; | ||
| 399 | working[wi++] = c; | 403 | working[wi++] = c; |
| 400 | } | 404 | } |
| 401 | if (candidate_local == NULL || candidate_domain == NULL) | 405 | if (candidate_local == NULL || candidate_domain == NULL) |