diff options
| author | Neil Horman <nhorman@openssl.org> | 2023-11-30 14:28:09 -0500 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2023-12-22 11:36:22 +0100 |
| commit | 25d6aecd0061eda532b2172b4fa8cb2afbe8d9e6 (patch) | |
| tree | a420cb4716c9e2ed8cd38c844469be05e92f53b4 /include | |
| parent | ce625bb5eb53691cb23d98c3ca76aebd62d0f5f2 (diff) | |
Detect and prevent recursive config parsing
If a malformed config file is provided such as the following:
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
= provider_sect
The config parsing library will crash overflowing the stack, as it
recursively parses the same provider_sect ad nauseum.
Prevent this by maintaing a list of visited nodes as we recurse through
referenced sections, and erroring out in the event we visit any given
section node more than once.
Note, adding the test for this revealed that our diagnostic code
inadvertently pops recorded errors off the error stack because
provider_conf_load returns success even in the event that a
configuration parse failed. The call path to provider_conf_load has been
updated in this commit to address that shortcoming, allowing recorded
errors to be visibile to calling applications.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22898)
(cherry picked from commit 682fd21afb5428b5716e62eaefb09a7419f9cfd7)
Diffstat (limited to 'include')
| -rw-r--r-- | include/crypto/conferr.h | 2 | ||||
| -rw-r--r-- | include/openssl/conferr.h | 3 |
2 files changed, 3 insertions, 2 deletions
diff --git a/include/crypto/conferr.h b/include/crypto/conferr.h index cb367e4f32..fc9645127d 100644 --- a/include/crypto/conferr.h +++ b/include/crypto/conferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/conferr.h b/include/openssl/conferr.h index 496e2e1efd..a8798e7924 100644 --- a/include/openssl/conferr.h +++ b/include/openssl/conferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -38,6 +38,7 @@ # define CONF_R_NUMBER_TOO_LARGE 121 # define CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION 124 # define CONF_R_RECURSIVE_DIRECTORY_INCLUDE 111 +# define CONF_R_RECURSIVE_SECTION_REFERENCE 126 # define CONF_R_RELATIVE_PATH 125 # define CONF_R_SSL_COMMAND_SECTION_EMPTY 117 # define CONF_R_SSL_COMMAND_SECTION_NOT_FOUND 118 |