From 8672b09068d98f2e4a156dd51f4eae7f57483fc2 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sun, 18 Dec 2022 12:31:57 +0000
Subject: [PATCH] acme-client: check EC signature length

Make sure the size_t containing EC signature length is not truncated
when passing it to d2i_ECDSA_SIG() as a long. This won't happen, but
documents API quirks...

requested by jsing
---
 usr.sbin/acme-client/acctproc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/acme-client/acctproc.c b/usr.sbin/acme-client/acctproc.c
index 5588eaef195..8c5917c624d 100644
--- a/usr.sbin/acme-client/acctproc.c
+++ b/usr.sbin/acme-client/acctproc.c
@@ -1,4 +1,4 @@
-/*	$Id: acctproc.c,v 1.27 2022/12/18 12:27:58 tb Exp $ */
+/*	$Id: acctproc.c,v 1.28 2022/12/18 12:31:57 tb Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -18,6 +18,7 @@
 #include <sys/stat.h>
 
 #include <err.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -367,6 +368,11 @@ op_sign(int fd, EVP_PKEY *pkey, enum acctop op)
 		}
 		break;
 	case EVP_PKEY_EC:
+		if (digsz > LONG_MAX) {
+			warnx("EC signature too long");
+			goto out;
+		}
+
 		digp = dig;
 		if ((ec_sig = d2i_ECDSA_SIG(NULL, &digp, digsz)) == NULL) {
 			warnx("d2i_ECDSA_SIG");
-- 
2.20.1