Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.

See CRL-01-006.
2016-11-24 14:28:39 +01:00 · 2016-11-24 14:28:39 +01:00 · 945f60e8a7
parent 3e9c0230f4
commit 945f60e8a7
5 changed files with 47 additions and 25 deletions
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@ -66,16 +66,27 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
  char *plainauth;
  size_t ulen;
  size_t plen;
+  size_t plainlen;

+  *outlen = 0;
+  *outptr = NULL;
  ulen = strlen(userp);
  plen = strlen(passwdp);

-  plainauth = malloc(2 * ulen + plen + 2);
-  if(!plainauth) {
-    *outlen = 0;
-    *outptr = NULL;
+  /* Compute binary message length, checking for overflows. */
+  plainlen = 2 * ulen;
+  if(plainlen < ulen)
+    return CURLE_OUT_OF_MEMORY;
+  plainlen += plen;
+  if(plainlen < plen)
+    return CURLE_OUT_OF_MEMORY;
+  plainlen += 2;
+  if(plainlen < 2)
+    return CURLE_OUT_OF_MEMORY;
+
+  plainauth = malloc(plainlen);
+  if(!plainauth)
    return CURLE_OUT_OF_MEMORY;
-  }

  /* Calculate the reply */
  memcpy(plainauth, userp, ulen);
@ -85,8 +96,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
  memcpy(plainauth + 2 * ulen + 2, passwdp, plen);

  /* Base64 encode the reply */
-  result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
-                              outlen);
+  result = Curl_base64_encode(data, plainauth, plainlen, outptr, outlen);
  free(plainauth);

  return result;
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@ -512,7 +512,8 @@ cyassl_connect_step2(struct connectdata *conn,
    }

    memset(&x509_parsed, 0, sizeof x509_parsed);
-    Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len);
+    if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
+      return CURLE_SSL_PINNEDPUBKEYNOTMATCH;

    pubkey = &x509_parsed.subjectPublicKeyInfo;
    if(!pubkey->header || pubkey->end <= pubkey->header) {
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@ -875,9 +875,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
    curl_X509certificate x509;
    curl_asn1Element *p;

-    if(!cert)
+    if(Curl_parseX509(&x509, cert, certend))
      return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
-    Curl_parseX509(&x509, cert, certend);
    p = &x509.subjectPublicKeyInfo;
    result = Curl_pin_peer_pubkey(data, ptr, p->header, p->end - p->header);
    if(result) {
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@ -40,6 +40,9 @@
 #include "curl_memory.h"
 #include "memdebug.h"

+/* For overflow checks. */
+#define CURL_SIZE_T_MAX         ((size_t) ~0)
+

 /* ASN.1 OIDs. */
 static const char       cnOID[] = "2.5.4.3";    /* Common name. */
@ -117,7 +120,7 @@ const char * Curl_getASN1Element(curl_asn1Element * elem,
     Returns a pointer in source string after the parsed element, or NULL
     if an error occurs. */

-  if(beg >= end || !*beg)
+  if(!beg || !end || (size_t) (end - beg) > CURL_ASN1_MAX)
    return (const char *) NULL;

  /* Process header byte. */
@ -198,15 +201,17 @@ static const char * bool2str(const char * beg, const char * end)
 static const char * octet2str(const char * beg, const char * end)
 {
  size_t n = end - beg;
-  char * buf;
+  char * buf = NULL;

  /* Convert an ASN.1 octet string to a printable string.
     Return the dynamically allocated string, or NULL if an error occurs. */

-  buf = malloc(3 * n + 1);
-  if(buf)
-    for(n = 0; beg < end; n += 3)
-      snprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
+  if(n <= (CURL_SIZE_T_MAX - 1) / 3) {
+    buf = malloc(3 * n + 1);
+    if(buf)
+      for(n = 0; beg < end; n += 3)
+        snprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
+  }
  return buf;
 }

@ -282,6 +287,8 @@ utf8asn1str(char * * to, int type, const char * from, const char * end)

  if(inlength % size)
    return -1;  /* Length inconsistent with character size. */
+  if(inlength / size > (CURL_SIZE_T_MAX - 1) / 4)
+    return -1;  /* Too big. */
  buf = malloc(4 * (inlength / size) + 1);
  if(!buf)
    return -1;  /* Not enough memory. */
@ -669,8 +676,8 @@ const char * Curl_DNtostr(curl_asn1Element * dn)
 * X509 parser.
 */

-void Curl_parseX509(curl_X509certificate * cert,
-                    const char * beg, const char * end)
+int Curl_parseX509(curl_X509certificate * cert,
+                   const char * beg, const char * end)
 {
  curl_asn1Element elem;
  curl_asn1Element tbsCertificate;
@ -686,7 +693,8 @@ void Curl_parseX509(curl_X509certificate * cert,
  cert->certificate.end = end;

  /* Get the sequence content. */
-  Curl_getASN1Element(&elem, beg, end);
+  if(!Curl_getASN1Element(&elem, beg, end))
+    return -1;  /* Invalid bounds/size. */
  beg = elem.beg;
  end = elem.end;

@ -749,6 +757,7 @@ void Curl_parseX509(curl_X509certificate * cert,
  }
  if(elem.tag == 3)
    Curl_getASN1Element(&cert->extensions, elem.beg, elem.end);
+  return 0;
 }

 static size_t copySubstring(char * to, const char * from)
@ -889,7 +898,8 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
  /* Prepare the certificate information for curl_easy_getinfo(). */

  /* Extract the certificate ASN.1 elements. */
-  Curl_parseX509(&cert, beg, end);
+  if(Curl_parseX509(&cert, beg, end))
+    return CURLE_OUT_OF_MEMORY;

  /* Subject. */
  ccp = Curl_DNtostr(&cert.subject);
@ -1080,9 +1090,8 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
  if(!data->set.ssl.verifyhost)
    return CURLE_OK;

-  if(!beg)
+  if(Curl_parseX509(&cert, beg, end))
    return CURLE_PEER_FAILED_VERIFICATION;
-  Curl_parseX509(&cert, beg, end);

  /* Get the server IP address. */
 #ifdef ENABLE_IPV6
--- a/lib/x509asn1.h
+++ b/lib/x509asn1.h
@ -8,7 +8,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -34,6 +34,9 @@
 * Constants.
 */

+/* Largest supported ASN.1 structure. */
+#define CURL_ASN1_MAX                   ((size_t) 0x40000)      /* 256K */
+
 /* ASN.1 classes. */
 #define CURL_ASN1_UNIVERSAL             0
 #define CURL_ASN1_APPLICATION           1
@ -121,8 +124,8 @@ const char * Curl_getASN1Element(curl_asn1Element * elem,
                                 const char * beg, const char * end);
 const char * Curl_ASN1tostr(curl_asn1Element * elem, int type);
 const char * Curl_DNtostr(curl_asn1Element * dn);
-void Curl_parseX509(curl_X509certificate * cert,
-                    const char * beg, const char * end);
+int Curl_parseX509(curl_X509certificate * cert,
+                   const char * beg, const char * end);
 CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum,
                               const char * beg, const char * end);
 CURLcode Curl_verifyhost(struct connectdata * conn,