diff options
| author | tb <> | 2021-12-23 23:48:38 +0000 |
|---|---|---|
| committer | tb <> | 2021-12-23 23:48:38 +0000 |
| commit | a8c6bd3f4864e435533c00c9ae6b7e758b0f76d8 (patch) | |
| tree | 03beb7b181535d4187f652d4b27e9e147a09a9bf /src | |
| parent | 26baf08c7f85a1517e13b4ddbd743ec27f1eb52b (diff) | |
| download | openbsd-a8c6bd3f4864e435533c00c9ae6b7e758b0f76d8.tar.gz openbsd-a8c6bd3f4864e435533c00c9ae6b7e758b0f76d8.tar.bz2 openbsd-a8c6bd3f4864e435533c00c9ae6b7e758b0f76d8.zip | |
Fully check the second strtoul() call in v2i_IPAddrBlocks()
This can read a value in an arbitrary base from a string that is
supposed to be followed by whitespace or a colon, so it cannot be
switched to strtonum(). The current checks don't allow a read past
the end, but let's use the standard idiom instead.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_addr.c | 37 |
1 files changed, 34 insertions, 3 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index f628009eaa..266562fd9a 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_addr.c,v 1.21 2021/12/23 23:41:26 tb Exp $ */ | 1 | /* $OpenBSD: x509_addr.c,v 1.22 2021/12/23 23:48:38 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -60,6 +60,7 @@ | |||
| 60 | * Implementation of RFC 3779 section 2.2. | 60 | * Implementation of RFC 3779 section 2.2. |
| 61 | */ | 61 | */ |
| 62 | 62 | ||
| 63 | #include <limits.h> | ||
| 63 | #include <stdio.h> | 64 | #include <stdio.h> |
| 64 | #include <stdlib.h> | 65 | #include <stdlib.h> |
| 65 | #include <string.h> | 66 | #include <string.h> |
| @@ -1216,14 +1217,44 @@ v2i_IPAddrBlocks(const struct v3_ext_method *method, struct v3_ext_ctx *ctx, | |||
| 1216 | * the other input values. | 1217 | * the other input values. |
| 1217 | */ | 1218 | */ |
| 1218 | if (safi != NULL) { | 1219 | if (safi != NULL) { |
| 1219 | *safi = strtoul(val->value, &t, 0); | 1220 | unsigned long parsed_safi; |
| 1221 | int saved_errno = errno; | ||
| 1222 | |||
| 1223 | errno = 0; | ||
| 1224 | parsed_safi = strtoul(val->value, &t, 0); | ||
| 1225 | |||
| 1226 | /* Value must be present, then a tab, space or colon. */ | ||
| 1227 | if (val->value[0] == '\0' || | ||
| 1228 | (*t != '\t' && *t != ' ' && *t != ':')) { | ||
| 1229 | X509V3error(X509V3_R_INVALID_SAFI); | ||
| 1230 | X509V3_conf_err(val); | ||
| 1231 | goto err; | ||
| 1232 | } | ||
| 1233 | /* Range and overflow check. */ | ||
| 1234 | if ((errno == ERANGE && parsed_safi == ULONG_MAX) || | ||
| 1235 | parsed_safi > 0xFF) { | ||
| 1236 | X509V3error(X509V3_R_INVALID_SAFI); | ||
| 1237 | X509V3_conf_err(val); | ||
| 1238 | goto err; | ||
| 1239 | } | ||
| 1240 | errno = saved_errno; | ||
| 1241 | |||
| 1242 | *safi = parsed_safi; | ||
| 1243 | |||
| 1244 | /* Check possible whitespace is followed by a colon. */ | ||
| 1220 | t += strspn(t, " \t"); | 1245 | t += strspn(t, " \t"); |
| 1221 | if (*safi > 0xFF || *t++ != ':') { | 1246 | if (*t != ':') { |
| 1222 | X509V3error(X509V3_R_INVALID_SAFI); | 1247 | X509V3error(X509V3_R_INVALID_SAFI); |
| 1223 | X509V3_conf_err(val); | 1248 | X509V3_conf_err(val); |
| 1224 | goto err; | 1249 | goto err; |
| 1225 | } | 1250 | } |
| 1251 | |||
| 1252 | /* Skip over colon. */ | ||
| 1253 | t++; | ||
| 1254 | |||
| 1255 | /* Then over any trailing whitespace. */ | ||
| 1226 | t += strspn(t, " \t"); | 1256 | t += strspn(t, " \t"); |
| 1257 | |||
| 1227 | s = strdup(t); | 1258 | s = strdup(t); |
| 1228 | } else { | 1259 | } else { |
| 1229 | s = strdup(val->value); | 1260 | s = strdup(val->value); |