From bbe8bd912d6c1cef92033582134d76828d0563d3 Mon Sep 17 00:00:00 2001 From: Kinichiro Inoguchi Date: Mon, 17 Feb 2020 12:51:49 +0000 Subject: Restrict the length of openssl conf value string There was no limitation for the length of openssl conf value. This brings possibility of out-of-memory problem as oss-fuzz had detected. This diff restricts the length of conf value up to 64k. ok jsing@ --- lib/libcrypto/conf/conf.h | 3 ++- lib/libcrypto/conf/conf_def.c | 13 ++++++++++--- lib/libcrypto/conf/conf_err.c | 3 ++- 3 files changed, 14 insertions(+), 5 deletions(-) (limited to 'lib/libcrypto') diff --git a/lib/libcrypto/conf/conf.h b/lib/libcrypto/conf/conf.h index 095066d31bb..bea6a87197a 100644 --- a/lib/libcrypto/conf/conf.h +++ b/lib/libcrypto/conf/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.14 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -241,6 +241,7 @@ void ERR_load_CONF_strings(void); #define CONF_R_NO_VALUE 108 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_UNKNOWN_MODULE_NAME 113 +#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 #ifdef __cplusplus diff --git a/lib/libcrypto/conf/conf_def.c b/lib/libcrypto/conf/conf_def.c index 4099ffc66cb..f2b2c9477b0 100644 --- a/lib/libcrypto/conf/conf_def.c +++ b/lib/libcrypto/conf/conf_def.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_def.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_def.c,v 1.33 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,6 +70,8 @@ #include "conf_def.h" +#define MAX_CONF_VALUE_LENGTH 65536 + static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); static void clear_comments(CONF *conf, char *p); @@ -455,6 +457,7 @@ str_copy(CONF *conf, char *section, char **pto, char *from) { int q, r,rr = 0, to = 0, len = 0; char *s, *e, *rp, *p, *rrp, *np, *cp, v; + size_t newsize; BUF_MEM *buf; if ((buf = BUF_MEM_new()) == NULL) @@ -563,8 +566,12 @@ str_copy(CONF *conf, char *section, char **pto, char *from) CONFerror(CONF_R_VARIABLE_HAS_NO_VALUE); goto err; } - if (!BUF_MEM_grow_clean(buf, - (strlen(p) + buf->length - (e - from)))) { + newsize = strlen(p) + buf->length - (e - from); + if (newsize > MAX_CONF_VALUE_LENGTH) { + CONFerror(CONF_R_VARIABLE_EXPANSION_TOO_LONG); + goto err; + } + if (!BUF_MEM_grow_clean(buf, newsize)) { CONFerror(CONF_R_MODULE_INITIALIZATION_ERROR); goto err; } diff --git a/lib/libcrypto/conf/conf_err.c b/lib/libcrypto/conf/conf_err.c index dbb373ae851..1e5eaff60e5 100644 --- a/lib/libcrypto/conf/conf_err.c +++ b/lib/libcrypto/conf/conf_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_err.c,v 1.13 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -92,6 +92,7 @@ static ERR_STRING_DATA CONF_str_reasons[]= { {ERR_REASON(CONF_R_NO_VALUE) , "no value"}, {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"}, {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME) , "unknown module name"}, + {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG), "variable expansion too long"}, {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"}, {0, NULL} }; -- cgit v1.2.3