diff options
| author | tb <> | 2021-12-23 23:41:26 +0000 |
|---|---|---|
| committer | tb <> | 2021-12-23 23:41:26 +0000 |
| commit | fd87613173bbc28c5d6544f9d6b096e65bfe707c (patch) | |
| tree | 43faad4048f0935461e4a49b8d3647e2e202393f /src/lib/libc | |
| parent | a92becc0304c2a08497aa001a61f8744d671aa5c (diff) | |
| download | openbsd-fd87613173bbc28c5d6544f9d6b096e65bfe707c.tar.gz openbsd-fd87613173bbc28c5d6544f9d6b096e65bfe707c.tar.bz2 openbsd-fd87613173bbc28c5d6544f9d6b096e65bfe707c.zip | |
Fix an arbitrary out-of-bounds stack read in v2i_IPAddrBlocks()
Switch an insufficiently checked strtoul() to strtonum(). This can
be used to trigger a read of a user-controlled size from the stack.
$ openssl req -new -addext 'sbgp-ipAddrBlock = IPv4:192.0.2.0/12341234'
Segmentation fault (core dumped)
The bogus prefix length 12341234 is fed into X509v3_addr_add_prefix() and
used to read (prefixlen + 7) / 8 bytes from the stack variable 'min[16]'
that ends up as 'data' in the memmove in ASN1_STRING_set().
The full fix will add length checks to X509v3_addr_add_prefix() and
make_addressPrefix() and will be dealt with later. The entire
X509v3_{addr,asid}_* API will need a thorough review before it can be
exposed.
This code is only enabled in -current and can only be reached from
openssl.cnf files that contain sbgp-ipAddrBlock or from the openssl(1)
command line.
ok jsing
Diffstat (limited to 'src/lib/libc')
0 files changed, 0 insertions, 0 deletions