diff options
| author | tb <> | 2021-12-23 23:41:26 +0000 |
|---|---|---|
| committer | tb <> | 2021-12-23 23:41:26 +0000 |
| commit | 26baf08c7f85a1517e13b4ddbd743ec27f1eb52b (patch) | |
| tree | 43faad4048f0935461e4a49b8d3647e2e202393f /src/lib/libc/stdlib/ecvt.c | |
| parent | 0a656693e344308439016226ee4fc5ea11ab7547 (diff) | |
| download | openbsd-26baf08c7f85a1517e13b4ddbd743ec27f1eb52b.tar.gz openbsd-26baf08c7f85a1517e13b4ddbd743ec27f1eb52b.tar.bz2 openbsd-26baf08c7f85a1517e13b4ddbd743ec27f1eb52b.zip | |
Fix an arbitrary out-of-bounds stack read in v2i_IPAddrBlocks()
Switch an insufficiently checked strtoul() to strtonum(). This can
be used to trigger a read of a user-controlled size from the stack.
$ openssl req -new -addext 'sbgp-ipAddrBlock = IPv4:192.0.2.0/12341234'
Segmentation fault (core dumped)
The bogus prefix length 12341234 is fed into X509v3_addr_add_prefix() and
used to read (prefixlen + 7) / 8 bytes from the stack variable 'min[16]'
that ends up as 'data' in the memmove in ASN1_STRING_set().
The full fix will add length checks to X509v3_addr_add_prefix() and
make_addressPrefix() and will be dealt with later. The entire
X509v3_{addr,asid}_* API will need a thorough review before it can be
exposed.
This code is only enabled in -current and can only be reached from
openssl.cnf files that contain sbgp-ipAddrBlock or from the openssl(1)
command line.
ok jsing
Diffstat (limited to 'src/lib/libc/stdlib/ecvt.c')
0 files changed, 0 insertions, 0 deletions