diff options
| author | Graham Woodward <graham.woodward@ibm.com> | 2022-09-27 12:37:59 +0100 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2022-11-16 17:19:25 +0100 |
| commit | 9351f675fab42abbc321f0994bff7e0b27cfbe57 (patch) | |
| tree | 39bb998331d62158b72154cae8a4e9890f7c7dcc | |
| parent | 2fea56832780248af2aba2e4433ece2d18428515 (diff) | |
Catch incorrect IPAddressFamily lengths
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19273)
| -rw-r--r-- | crypto/x509/v3_addr.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/crypto/x509/v3_addr.c b/crypto/x509/v3_addr.c index 31b439a816..9b639e85aa 100644 --- a/crypto/x509/v3_addr.c +++ b/crypto/x509/v3_addr.c @@ -697,6 +697,14 @@ static int IPAddressFamily_cmp(const IPAddressFamily *const *a_, return cmp ? cmp : a->length - b->length; } +static int IPAddressFamily_check_len(const IPAddressFamily *f) +{ + if (f->addressFamily->length < 2 || f->addressFamily->length > 3) + return 0; + else + return 1; +} + /* * Check whether an IPAddrBLocks is in canonical form. */ @@ -720,6 +728,9 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + if (!IPAddressFamily_check_len(a) || !IPAddressFamily_check_len(b)) + return 0; + if (IPAddressFamily_cmp(&a, &b) >= 0) return 0; } @@ -746,6 +757,9 @@ int X509v3_addr_is_canonical(IPAddrBlocks *addr) return 0; } + if (!IPAddressFamily_check_len(f)) + return 0; + /* * It's an IPAddressOrRanges sequence, check it. */ @@ -896,6 +910,9 @@ int X509v3_addr_canonize(IPAddrBlocks *addr) for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (!IPAddressFamily_check_len(f)) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && !IPAddressOrRanges_canonize(f->ipAddressChoice-> u.addressesOrRanges, @@ -1164,6 +1181,8 @@ int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) int j = sk_IPAddressFamily_find(b, fa); IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + if (!IPAddressFamily_check_len(fa) || !IPAddressFamily_check_len(fb)) + return 0; if (fb == NULL) return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, @@ -1252,6 +1271,9 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, for (j = 0; j < sk_IPAddressFamily_num(child); j++) { IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + if (!IPAddressFamily_check_len(fc)) + return 0; + if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); break; @@ -1267,6 +1289,9 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); + if (!IPAddressFamily_check_len(fc) || !IPAddressFamily_check_len(fp)) + return 0; + if (fp == NULL) { if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { @@ -1295,6 +1320,9 @@ static int addr_validate_path_internal(X509_STORE_CTX *ctx, for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); + if (!IPAddressFamily_check_len(fp)) + return 0; + if (fp->ipAddressChoice->type == IPAddressChoice_inherit && sk_IPAddressFamily_find(child, fp) >= 0) validation_err(X509_V_ERR_UNNESTED_RESOURCE); |