From 63f370da2a67eb9d27cc1ec17bdf5c52ed842a43 Mon Sep 17 00:00:00 2001
From: inoguchi <>
Date: Mon, 17 Feb 2020 12:51:48 +0000
Subject: Restrict the length of openssl conf value string

There was no limitation for the length of openssl conf value.
This brings possibility of out-of-memory problem as oss-fuzz had detected.
This diff restricts the length of conf value up to 64k.

ok jsing@
---
 src/lib/libcrypto/conf/conf.h     |  3 ++-
 src/lib/libcrypto/conf/conf_def.c | 13 ++++++++++---
 src/lib/libcrypto/conf/conf_err.c |  3 ++-
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/lib/libcrypto/conf/conf.h b/src/lib/libcrypto/conf/conf.h
index 095066d31b..bea6a87197 100644
--- a/src/lib/libcrypto/conf/conf.h
+++ b/src/lib/libcrypto/conf/conf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.h,v 1.14 2015/02/07 13:19:15 doug Exp $ */
+/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -241,6 +241,7 @@ void ERR_load_CONF_strings(void);
 #define CONF_R_NO_VALUE					 108
 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION		 103
 #define CONF_R_UNKNOWN_MODULE_NAME			 113
+#define CONF_R_VARIABLE_EXPANSION_TOO_LONG		 116
 #define CONF_R_VARIABLE_HAS_NO_VALUE			 104
 
 #ifdef  __cplusplus
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 4099ffc66c..f2b2c9477b 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_def.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: conf_def.c,v 1.33 2020/02/17 12:51:48 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,6 +70,8 @@
 
 #include "conf_def.h"
 
+#define MAX_CONF_VALUE_LENGTH 65536
+
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
 static void clear_comments(CONF *conf, char *p);
@@ -455,6 +457,7 @@ str_copy(CONF *conf, char *section, char **pto, char *from)
 {
 	int q, r,rr = 0, to = 0, len = 0;
 	char *s, *e, *rp, *p, *rrp, *np, *cp, v;
+	size_t newsize;
 	BUF_MEM *buf;
 
 	if ((buf = BUF_MEM_new()) == NULL)
@@ -563,8 +566,12 @@ str_copy(CONF *conf, char *section, char **pto, char *from)
 				CONFerror(CONF_R_VARIABLE_HAS_NO_VALUE);
 				goto err;
 			}
-			if (!BUF_MEM_grow_clean(buf,
-				(strlen(p) + buf->length - (e - from)))) {
+			newsize = strlen(p) + buf->length - (e - from);
+			if (newsize > MAX_CONF_VALUE_LENGTH) {
+				CONFerror(CONF_R_VARIABLE_EXPANSION_TOO_LONG);
+				goto err;
+			}
+			if (!BUF_MEM_grow_clean(buf, newsize)) {
 				CONFerror(CONF_R_MODULE_INITIALIZATION_ERROR);
 				goto err;
 			}
diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c
index dbb373ae85..1e5eaff60e 100644
--- a/src/lib/libcrypto/conf/conf_err.c
+++ b/src/lib/libcrypto/conf/conf_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_err.c,v 1.13 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -92,6 +92,7 @@ static ERR_STRING_DATA CONF_str_reasons[]= {
 	{ERR_REASON(CONF_R_NO_VALUE)             , "no value"},
 	{ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"},
 	{ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME)  , "unknown module name"},
+	{ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG), "variable expansion too long"},
 	{ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"},
 	{0, NULL}
 };
-- 
cgit v1.2.3-55-g6feb