From ac446f804f10dfa09dd8c5e483ded6d2ac7cdeb7 Mon Sep 17 00:00:00 2001 From: beck <> Date: Sun, 20 Sep 2020 18:22:31 +0000 Subject: Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future. found by Guido Vranken's cryptofuzzer ok tb@ --- src/lib/libcrypto/x509/x509_constraints.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 5abea52e59..8fafadfcdf 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.5 2020/09/20 03:19:52 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.6 2020/09/20 18:22:31 beck Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -438,7 +438,7 @@ x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) * the caller must free, or or NULL if it could not be found or is * invalid. * - * rfc 3986: + * RFC 3986: * the authority part of a uri starts with // and is terminated with * the next '/', '?', '#' or end of the URI. * @@ -454,7 +454,12 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char**hostpart) uint8_t *authority = NULL; char *host = NULL; - /* find first // */ + /* + * Find first '//'. there must be at least a '//' and + * something else. + */ + if (len < 3) + return 0; for (i = 0; i < len - 1; i++) { if (!isascii(uri[i])) return 0; @@ -557,7 +562,7 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, int *error) { int ret = 0; - char *hostpart; + char *hostpart = NULL; if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; -- cgit v1.2.3-55-g6feb