diff options
| author | Matt Caswell <matt@openssl.org> | 2022-06-10 12:33:45 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2022-07-22 08:41:38 +0100 |
| commit | b91ad3c69c27c35be4fd7f1e8811c33c31b02afd (patch) | |
| tree | 5028ad0756aa67cff17975cb66067e3dd21d0cac /crypto/x509 | |
| parent | 2752ab2eb61dcfc799775d34eaeda3621b85f95f (diff) | |
| download | openssl-new-b91ad3c69c27c35be4fd7f1e8811c33c31b02afd.tar.gz | |
Fix a crash in v2i_IPAddrBlocks()
If an IP address prefix value is supplied that is too large then a crash
can result. v2i_IPAddrBlocks() should sanity check the prefix value, as
should X509v3_addr_add_prefix().
Reported by Theo Buehler (@botovq)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18523)
Diffstat (limited to 'crypto/x509')
| -rw-r--r-- | crypto/x509/v3_addr.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c index 51de887a40..1697bf7895 100644 --- a/crypto/x509/v3_addr.c +++ b/crypto/x509/v3_addr.c @@ -398,12 +398,14 @@ static int range_should_be_prefix(const unsigned char *min, /* * Construct a prefix. */ -static int make_addressPrefix(IPAddressOrRange **result, - unsigned char *addr, const int prefixlen) +static int make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, + const int prefixlen, const int afilen) { int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; IPAddressOrRange *aor = IPAddressOrRange_new(); + if (prefixlen < 0 || prefixlen > (afilen * 8)) + return 0; if (aor == NULL) return 0; aor->type = IPAddressOrRange_addressPrefix; @@ -440,7 +442,7 @@ static int make_addressRange(IPAddressOrRange **result, return 0; if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) - return make_addressPrefix(result, min, prefixlen); + return make_addressPrefix(result, min, prefixlen, length); if ((aor = IPAddressOrRange_new()) == NULL) return 0; @@ -604,7 +606,8 @@ int X509v3_addr_add_prefix(IPAddrBlocks *addr, IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); IPAddressOrRange *aor; - if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + if (aors == NULL + || !make_addressPrefix(&aor, a, prefixlen, length_from_afi(afi))) return 0; if (sk_IPAddressOrRange_push(aors, aor)) return 1; @@ -1009,7 +1012,10 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method, switch (delim) { case '/': prefixlen = (int)strtoul(s + i2, &t, 10); - if (t == s + i2 || *t != '\0') { + if (t == s + i2 + || *t != '\0' + || prefixlen > (length * 8) + || prefixlen < 0) { ERR_raise(ERR_LIB_X509V3, X509V3_R_EXTENSION_VALUE_ERROR); X509V3_conf_add_error_name_value(val); goto err; |