diff options
| author | jsing <> | 2021-09-23 15:49:48 +0000 |
|---|---|---|
| committer | jsing <> | 2021-09-23 15:49:48 +0000 |
| commit | bb080a758b26689122e28d80215b720e5058a6ec (patch) | |
| tree | 668d7fc9b9f7b69884289a083e0fe9bde29cac9b /src/lib | |
| parent | edfd994450b5e0617f6ab9d30f8e083f90bc3f86 (diff) | |
| download | openbsd-bb080a758b26689122e28d80215b720e5058a6ec.tar.gz openbsd-bb080a758b26689122e28d80215b720e5058a6ec.tar.bz2 openbsd-bb080a758b26689122e28d80215b720e5058a6ec.zip | |
Avoid a potential overread in x509_constraints_parse_mailbox()
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index fade58c620..db33bf1aa4 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.16 2021/04/27 03:35:29 beck Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.17 2021/09/23 15:49:48 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -339,16 +339,16 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 339 | if (c == '.') | 339 | if (c == '.') |
| 340 | goto bad; | 340 | goto bad; |
| 341 | } | 341 | } |
| 342 | if (wi > DOMAIN_PART_MAX_LEN) | ||
| 343 | goto bad; | ||
| 344 | if (accept) { | 342 | if (accept) { |
| 343 | if (wi >= DOMAIN_PART_MAX_LEN) | ||
| 344 | goto bad; | ||
| 345 | working[wi++] = c; | 345 | working[wi++] = c; |
| 346 | accept = 0; | 346 | accept = 0; |
| 347 | continue; | 347 | continue; |
| 348 | } | 348 | } |
| 349 | if (candidate_local != NULL) { | 349 | if (candidate_local != NULL) { |
| 350 | /* We are looking for the domain part */ | 350 | /* We are looking for the domain part */ |
| 351 | if (wi > DOMAIN_PART_MAX_LEN) | 351 | if (wi >= DOMAIN_PART_MAX_LEN) |
| 352 | goto bad; | 352 | goto bad; |
| 353 | working[wi++] = c; | 353 | working[wi++] = c; |
| 354 | if (i == len - 1) { | 354 | if (i == len - 1) { |
| @@ -363,7 +363,7 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 363 | continue; | 363 | continue; |
| 364 | } | 364 | } |
| 365 | /* We are looking for the local part */ | 365 | /* We are looking for the local part */ |
| 366 | if (wi > LOCAL_PART_MAX_LEN) | 366 | if (wi >= LOCAL_PART_MAX_LEN) |
| 367 | break; | 367 | break; |
| 368 | 368 | ||
| 369 | if (quoted) { | 369 | if (quoted) { |
| @@ -383,6 +383,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 383 | */ | 383 | */ |
| 384 | if (c == 9) | 384 | if (c == 9) |
| 385 | goto bad; | 385 | goto bad; |
| 386 | if (wi >= LOCAL_PART_MAX_LEN) | ||
| 387 | goto bad; | ||
| 386 | working[wi++] = c; | 388 | working[wi++] = c; |
| 387 | continue; /* all's good inside our quoted string */ | 389 | continue; /* all's good inside our quoted string */ |
| 388 | } | 390 | } |
| @@ -412,6 +414,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, | |||
| 412 | } | 414 | } |
| 413 | if (!local_part_ok(c)) | 415 | if (!local_part_ok(c)) |
| 414 | goto bad; | 416 | goto bad; |
| 417 | if (wi >= LOCAL_PART_MAX_LEN) | ||
| 418 | goto bad; | ||
| 415 | working[wi++] = c; | 419 | working[wi++] = c; |
| 416 | } | 420 | } |
| 417 | if (candidate_local == NULL || candidate_domain == NULL) | 421 | if (candidate_local == NULL || candidate_domain == NULL) |