mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
See CRL-01-006.
This commit is contained in:
parent
3e9c0230f4
commit
945f60e8a7
@ -66,16 +66,27 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
|||||||
char *plainauth;
|
char *plainauth;
|
||||||
size_t ulen;
|
size_t ulen;
|
||||||
size_t plen;
|
size_t plen;
|
||||||
|
size_t plainlen;
|
||||||
|
|
||||||
|
*outlen = 0;
|
||||||
|
*outptr = NULL;
|
||||||
ulen = strlen(userp);
|
ulen = strlen(userp);
|
||||||
plen = strlen(passwdp);
|
plen = strlen(passwdp);
|
||||||
|
|
||||||
plainauth = malloc(2 * ulen + plen + 2);
|
/* Compute binary message length, checking for overflows. */
|
||||||
if(!plainauth) {
|
plainlen = 2 * ulen;
|
||||||
*outlen = 0;
|
if(plainlen < ulen)
|
||||||
*outptr = NULL;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
plainlen += plen;
|
||||||
|
if(plainlen < plen)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
plainlen += 2;
|
||||||
|
if(plainlen < 2)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
plainauth = malloc(plainlen);
|
||||||
|
if(!plainauth)
|
||||||
return CURLE_OUT_OF_MEMORY;
|
return CURLE_OUT_OF_MEMORY;
|
||||||
}
|
|
||||||
|
|
||||||
/* Calculate the reply */
|
/* Calculate the reply */
|
||||||
memcpy(plainauth, userp, ulen);
|
memcpy(plainauth, userp, ulen);
|
||||||
@ -85,8 +96,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
|||||||
memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
|
memcpy(plainauth + 2 * ulen + 2, passwdp, plen);
|
||||||
|
|
||||||
/* Base64 encode the reply */
|
/* Base64 encode the reply */
|
||||||
result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr,
|
result = Curl_base64_encode(data, plainauth, plainlen, outptr, outlen);
|
||||||
outlen);
|
|
||||||
free(plainauth);
|
free(plainauth);
|
||||||
|
|
||||||
return result;
|
return result;
|
||||||
|
@ -512,7 +512,8 @@ cyassl_connect_step2(struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
|
|
||||||
memset(&x509_parsed, 0, sizeof x509_parsed);
|
memset(&x509_parsed, 0, sizeof x509_parsed);
|
||||||
Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len);
|
if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
|
||||||
|
return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
|
||||||
|
|
||||||
pubkey = &x509_parsed.subjectPublicKeyInfo;
|
pubkey = &x509_parsed.subjectPublicKeyInfo;
|
||||||
if(!pubkey->header || pubkey->end <= pubkey->header) {
|
if(!pubkey->header || pubkey->end <= pubkey->header) {
|
||||||
|
@ -875,9 +875,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
|
|||||||
curl_X509certificate x509;
|
curl_X509certificate x509;
|
||||||
curl_asn1Element *p;
|
curl_asn1Element *p;
|
||||||
|
|
||||||
if(!cert)
|
if(Curl_parseX509(&x509, cert, certend))
|
||||||
return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
|
return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
|
||||||
Curl_parseX509(&x509, cert, certend);
|
|
||||||
p = &x509.subjectPublicKeyInfo;
|
p = &x509.subjectPublicKeyInfo;
|
||||||
result = Curl_pin_peer_pubkey(data, ptr, p->header, p->end - p->header);
|
result = Curl_pin_peer_pubkey(data, ptr, p->header, p->end - p->header);
|
||||||
if(result) {
|
if(result) {
|
||||||
|
@ -40,6 +40,9 @@
|
|||||||
#include "curl_memory.h"
|
#include "curl_memory.h"
|
||||||
#include "memdebug.h"
|
#include "memdebug.h"
|
||||||
|
|
||||||
|
/* For overflow checks. */
|
||||||
|
#define CURL_SIZE_T_MAX ((size_t) ~0)
|
||||||
|
|
||||||
|
|
||||||
/* ASN.1 OIDs. */
|
/* ASN.1 OIDs. */
|
||||||
static const char cnOID[] = "2.5.4.3"; /* Common name. */
|
static const char cnOID[] = "2.5.4.3"; /* Common name. */
|
||||||
@ -117,7 +120,7 @@ const char * Curl_getASN1Element(curl_asn1Element * elem,
|
|||||||
Returns a pointer in source string after the parsed element, or NULL
|
Returns a pointer in source string after the parsed element, or NULL
|
||||||
if an error occurs. */
|
if an error occurs. */
|
||||||
|
|
||||||
if(beg >= end || !*beg)
|
if(!beg || !end || (size_t) (end - beg) > CURL_ASN1_MAX)
|
||||||
return (const char *) NULL;
|
return (const char *) NULL;
|
||||||
|
|
||||||
/* Process header byte. */
|
/* Process header byte. */
|
||||||
@ -198,15 +201,17 @@ static const char * bool2str(const char * beg, const char * end)
|
|||||||
static const char * octet2str(const char * beg, const char * end)
|
static const char * octet2str(const char * beg, const char * end)
|
||||||
{
|
{
|
||||||
size_t n = end - beg;
|
size_t n = end - beg;
|
||||||
char * buf;
|
char * buf = NULL;
|
||||||
|
|
||||||
/* Convert an ASN.1 octet string to a printable string.
|
/* Convert an ASN.1 octet string to a printable string.
|
||||||
Return the dynamically allocated string, or NULL if an error occurs. */
|
Return the dynamically allocated string, or NULL if an error occurs. */
|
||||||
|
|
||||||
|
if(n <= (CURL_SIZE_T_MAX - 1) / 3) {
|
||||||
buf = malloc(3 * n + 1);
|
buf = malloc(3 * n + 1);
|
||||||
if(buf)
|
if(buf)
|
||||||
for(n = 0; beg < end; n += 3)
|
for(n = 0; beg < end; n += 3)
|
||||||
snprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
|
snprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
|
||||||
|
}
|
||||||
return buf;
|
return buf;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -282,6 +287,8 @@ utf8asn1str(char * * to, int type, const char * from, const char * end)
|
|||||||
|
|
||||||
if(inlength % size)
|
if(inlength % size)
|
||||||
return -1; /* Length inconsistent with character size. */
|
return -1; /* Length inconsistent with character size. */
|
||||||
|
if(inlength / size > (CURL_SIZE_T_MAX - 1) / 4)
|
||||||
|
return -1; /* Too big. */
|
||||||
buf = malloc(4 * (inlength / size) + 1);
|
buf = malloc(4 * (inlength / size) + 1);
|
||||||
if(!buf)
|
if(!buf)
|
||||||
return -1; /* Not enough memory. */
|
return -1; /* Not enough memory. */
|
||||||
@ -669,7 +676,7 @@ const char * Curl_DNtostr(curl_asn1Element * dn)
|
|||||||
* X509 parser.
|
* X509 parser.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
void Curl_parseX509(curl_X509certificate * cert,
|
int Curl_parseX509(curl_X509certificate * cert,
|
||||||
const char * beg, const char * end)
|
const char * beg, const char * end)
|
||||||
{
|
{
|
||||||
curl_asn1Element elem;
|
curl_asn1Element elem;
|
||||||
@ -686,7 +693,8 @@ void Curl_parseX509(curl_X509certificate * cert,
|
|||||||
cert->certificate.end = end;
|
cert->certificate.end = end;
|
||||||
|
|
||||||
/* Get the sequence content. */
|
/* Get the sequence content. */
|
||||||
Curl_getASN1Element(&elem, beg, end);
|
if(!Curl_getASN1Element(&elem, beg, end))
|
||||||
|
return -1; /* Invalid bounds/size. */
|
||||||
beg = elem.beg;
|
beg = elem.beg;
|
||||||
end = elem.end;
|
end = elem.end;
|
||||||
|
|
||||||
@ -749,6 +757,7 @@ void Curl_parseX509(curl_X509certificate * cert,
|
|||||||
}
|
}
|
||||||
if(elem.tag == 3)
|
if(elem.tag == 3)
|
||||||
Curl_getASN1Element(&cert->extensions, elem.beg, elem.end);
|
Curl_getASN1Element(&cert->extensions, elem.beg, elem.end);
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static size_t copySubstring(char * to, const char * from)
|
static size_t copySubstring(char * to, const char * from)
|
||||||
@ -889,7 +898,8 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
|
|||||||
/* Prepare the certificate information for curl_easy_getinfo(). */
|
/* Prepare the certificate information for curl_easy_getinfo(). */
|
||||||
|
|
||||||
/* Extract the certificate ASN.1 elements. */
|
/* Extract the certificate ASN.1 elements. */
|
||||||
Curl_parseX509(&cert, beg, end);
|
if(Curl_parseX509(&cert, beg, end))
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
/* Subject. */
|
/* Subject. */
|
||||||
ccp = Curl_DNtostr(&cert.subject);
|
ccp = Curl_DNtostr(&cert.subject);
|
||||||
@ -1080,9 +1090,8 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
|
|||||||
if(!data->set.ssl.verifyhost)
|
if(!data->set.ssl.verifyhost)
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
|
|
||||||
if(!beg)
|
if(Curl_parseX509(&cert, beg, end))
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
Curl_parseX509(&cert, beg, end);
|
|
||||||
|
|
||||||
/* Get the server IP address. */
|
/* Get the server IP address. */
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
* | (__| |_| | _ <| |___
|
* | (__| |_| | _ <| |___
|
||||||
* \___|\___/|_| \_\_____|
|
* \___|\___/|_| \_\_____|
|
||||||
*
|
*
|
||||||
* Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
* Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
*
|
*
|
||||||
* This software is licensed as described in the file COPYING, which
|
* This software is licensed as described in the file COPYING, which
|
||||||
* you should have received as part of this distribution. The terms
|
* you should have received as part of this distribution. The terms
|
||||||
@ -34,6 +34,9 @@
|
|||||||
* Constants.
|
* Constants.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/* Largest supported ASN.1 structure. */
|
||||||
|
#define CURL_ASN1_MAX ((size_t) 0x40000) /* 256K */
|
||||||
|
|
||||||
/* ASN.1 classes. */
|
/* ASN.1 classes. */
|
||||||
#define CURL_ASN1_UNIVERSAL 0
|
#define CURL_ASN1_UNIVERSAL 0
|
||||||
#define CURL_ASN1_APPLICATION 1
|
#define CURL_ASN1_APPLICATION 1
|
||||||
@ -121,7 +124,7 @@ const char * Curl_getASN1Element(curl_asn1Element * elem,
|
|||||||
const char * beg, const char * end);
|
const char * beg, const char * end);
|
||||||
const char * Curl_ASN1tostr(curl_asn1Element * elem, int type);
|
const char * Curl_ASN1tostr(curl_asn1Element * elem, int type);
|
||||||
const char * Curl_DNtostr(curl_asn1Element * dn);
|
const char * Curl_DNtostr(curl_asn1Element * dn);
|
||||||
void Curl_parseX509(curl_X509certificate * cert,
|
int Curl_parseX509(curl_X509certificate * cert,
|
||||||
const char * beg, const char * end);
|
const char * beg, const char * end);
|
||||||
CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum,
|
CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum,
|
||||||
const char * beg, const char * end);
|
const char * beg, const char * end);
|
||||||
|
Loading…
Reference in New Issue
Block a user