-/* $OpenBSD: cert.c,v 1.41 2021/10/26 13:31:05 claudio Exp $ */
+/* $OpenBSD: cert.c,v 1.42 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
if (!ip_addr_check_overlap(ip, p->fn, p->res->ips, p->res->ipsz))
return 0;
+ if (res->ipsz >= MAX_IP_SIZE)
+ return 0;
res->ips = reallocarray(res->ips, res->ipsz + 1,
sizeof(struct cert_ip));
if (res->ips == NULL)
if (!as_check_overlap(as, p->fn, p->res->as, p->res->asz))
return 0;
+ if (p->res->asz >= MAX_AS_SIZE)
+ return 0;
p->res->as = reallocarray(p->res->as, p->res->asz + 1,
sizeof(struct cert_as));
if (p->res->as == NULL)
-/* $OpenBSD: encoding.c,v 1.6 2021/10/26 16:59:19 claudio Exp $ */
+/* $OpenBSD: encoding.c,v 1.7 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
*
return NULL;
if (fstat(fd, &st) != 0)
goto err;
- if (st.st_size < 0)
+ if (st.st_size < 0 || st.st_size > MAX_FILE_SIZE)
goto err;
size = (size_t)st.st_size;
if ((buf = malloc(size)) == NULL)
-/* $OpenBSD: extern.h,v 1.81 2021/10/26 16:59:19 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.82 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
#define RPKI_PATH_OUT_DIR "/var/db/rpki-client"
#define RPKI_PATH_BASE_DIR "/var/cache/rpki-client"
+/*
+ * Maximum number of ip ranges and AS ranges we will accept in
+ * any single file
+ */
+#define MAX_IP_SIZE 200000
+#define MAX_AS_SIZE 200000
+
+/*
+ * Maximum URI length we will accept
+ */
+#define MAX_URI_LENGTH 2048
+
+/*
+ * Maximum File Size we will accept
+ */
+#define MAX_FILE_SIZE 2000000
+
#endif /* ! EXTERN_H */
-/* $OpenBSD: roa.c,v 1.28 2021/10/26 10:52:50 claudio Exp $ */
+/* $OpenBSD: roa.c,v 1.29 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
goto out;
}
p.res->expires = expires;
-
+
if (!roa_parse_econtent(cms, cmsz, &p))
goto out;
-/* $OpenBSD: validate.c,v 1.18 2021/10/27 18:09:08 job Exp $ */
+/* $OpenBSD: validate.c,v 1.19 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
{
size_t s;
- if (usz > 2048)
+ if (usz > MAX_URI_LENGTH)
return 0;
for (s = 0; s < usz; s++)
-/* $OpenBSD: x509.c,v 1.27 2021/10/24 16:59:14 claudio Exp $ */
+/* $OpenBSD: x509.c,v 1.28 2021/10/27 21:56:58 beck Exp $ */
/*
* Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
goto out;
}
+ if (ASN1_STRING_length(ad->location->d.uniformResourceIdentifier)
+ > MAX_URI_LENGTH) {
+ warnx("%s: RFC 6487 section 4.8.7: AIA: "
+ "URI exceeds max length of %d", fn, MAX_URI_LENGTH);
+ goto out;
+ }
+
aia = strndup(
ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier),
ASN1_STRING_length(ad->location->d.uniformResourceIdentifier));
if (aia == NULL)
- err(1, NULL);
+ err(1, NULL); /* why not just return NULL? */
out:
AUTHORITY_INFO_ACCESS_free(info);
goto out;
}
+ if (ASN1_STRING_length(name->d.uniformResourceIdentifier)
+ > MAX_URI_LENGTH) {
+ warnx("%s: RFC 6487 section 4.8.6: CRL: "
+ "URI exceeds max length of %d", fn, MAX_URI_LENGTH);
+ goto out;
+ }
+
crl = strndup(ASN1_STRING_get0_data(name->d.uniformResourceIdentifier),
ASN1_STRING_length(name->d.uniformResourceIdentifier));
if (crl == NULL)
- err(1, NULL);
+ err(1, NULL); /* why not just return NULL? */
out:
CRL_DIST_POINTS_free(crldp);
projects / openbsd / commitdiff