From 1c69962622d166e58043603e8567f36880b506ef Mon Sep 17 00:00:00 2001 From: beck Date: Wed, 27 Oct 2021 21:56:58 +0000 Subject: [PATCH] Add limits on size of certain untrusted inputs ok job@ --- usr.sbin/rpki-client/cert.c | 6 +++++- usr.sbin/rpki-client/encoding.c | 4 ++-- usr.sbin/rpki-client/extern.h | 19 ++++++++++++++++++- usr.sbin/rpki-client/roa.c | 4 ++-- usr.sbin/rpki-client/validate.c | 4 ++-- usr.sbin/rpki-client/x509.c | 20 +++++++++++++++++--- 6 files changed, 46 insertions(+), 11 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 36380d03c0c..e6d50931f9e 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.41 2021/10/26 13:31:05 claudio Exp $ */ +/* $OpenBSD: cert.c,v 1.42 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2021 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -80,6 +80,8 @@ append_ip(struct parse *p, const struct cert_ip *ip) if (!ip_addr_check_overlap(ip, p->fn, p->res->ips, p->res->ipsz)) return 0; + if (res->ipsz >= MAX_IP_SIZE) + return 0; res->ips = reallocarray(res->ips, res->ipsz + 1, sizeof(struct cert_ip)); if (res->ips == NULL) @@ -99,6 +101,8 @@ append_as(struct parse *p, const struct cert_as *as) if (!as_check_overlap(as, p->fn, p->res->as, p->res->asz)) return 0; + if (p->res->asz >= MAX_AS_SIZE) + return 0; p->res->as = reallocarray(p->res->as, p->res->asz + 1, sizeof(struct cert_as)); if (p->res->as == NULL) diff --git a/usr.sbin/rpki-client/encoding.c b/usr.sbin/rpki-client/encoding.c index 0441fc0e877..bef98659ea5 100644 --- a/usr.sbin/rpki-client/encoding.c +++ b/usr.sbin/rpki-client/encoding.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encoding.c,v 1.6 2021/10/26 16:59:19 claudio Exp $ */ +/* $OpenBSD: encoding.c,v 1.7 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2020 Claudio Jeker * @@ -45,7 +45,7 @@ load_file(const char *name, size_t *len) return NULL; if (fstat(fd, &st) != 0) goto err; - if (st.st_size < 0) + if (st.st_size < 0 || st.st_size > MAX_FILE_SIZE) goto err; size = (size_t)st.st_size; if ((buf = malloc(size)) == NULL) diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 309d5b48d83..fc07970c6bf 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.81 2021/10/26 16:59:19 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.82 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -603,4 +603,21 @@ int mkpath(const char *); #define RPKI_PATH_OUT_DIR "/var/db/rpki-client" #define RPKI_PATH_BASE_DIR "/var/cache/rpki-client" +/* + * Maximum number of ip ranges and AS ranges we will accept in + * any single file + */ +#define MAX_IP_SIZE 200000 +#define MAX_AS_SIZE 200000 + +/* + * Maximum URI length we will accept + */ +#define MAX_URI_LENGTH 2048 + +/* + * Maximum File Size we will accept + */ +#define MAX_FILE_SIZE 2000000 + #endif /* ! EXTERN_H */ diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index b8382067617..766e4e441a3 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.28 2021/10/26 10:52:50 claudio Exp $ */ +/* $OpenBSD: roa.c,v 1.29 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -379,7 +379,7 @@ roa_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) goto out; } p.res->expires = expires; - + if (!roa_parse_econtent(cms, cmsz, &p)) goto out; diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 8380d8c0de0..0e4e2547eaa 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.18 2021/10/27 18:09:08 job Exp $ */ +/* $OpenBSD: validate.c,v 1.19 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -321,7 +321,7 @@ valid_uri(const char *uri, size_t usz, const char *proto) { size_t s; - if (usz > 2048) + if (usz > MAX_URI_LENGTH) return 0; for (s = 0; s < usz; s++) diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 74d29e21ef9..7d3962c11a5 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.27 2021/10/24 16:59:14 claudio Exp $ */ +/* $OpenBSD: x509.c,v 1.28 2021/10/27 21:56:58 beck Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -282,11 +282,18 @@ x509_get_aia(X509 *x, const char *fn) goto out; } + if (ASN1_STRING_length(ad->location->d.uniformResourceIdentifier) + > MAX_URI_LENGTH) { + warnx("%s: RFC 6487 section 4.8.7: AIA: " + "URI exceeds max length of %d", fn, MAX_URI_LENGTH); + goto out; + } + aia = strndup( ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier), ASN1_STRING_length(ad->location->d.uniformResourceIdentifier)); if (aia == NULL) - err(1, NULL); + err(1, NULL); /* why not just return NULL? */ out: AUTHORITY_INFO_ACCESS_free(info); @@ -377,10 +384,17 @@ x509_get_crl(X509 *x, const char *fn) goto out; } + if (ASN1_STRING_length(name->d.uniformResourceIdentifier) + > MAX_URI_LENGTH) { + warnx("%s: RFC 6487 section 4.8.6: CRL: " + "URI exceeds max length of %d", fn, MAX_URI_LENGTH); + goto out; + } + crl = strndup(ASN1_STRING_get0_data(name->d.uniformResourceIdentifier), ASN1_STRING_length(name->d.uniformResourceIdentifier)); if (crl == NULL) - err(1, NULL); + err(1, NULL); /* why not just return NULL? */ out: CRL_DIST_POINTS_free(crldp); -- 2.20.1