From b9ea95bbb3a40eef6d9d21d137e57420f0219f36 Mon Sep 17 00:00:00 2001 From: job Date: Wed, 9 Nov 2022 18:17:23 +0000 Subject: [PATCH] Error out if a ROA payload contains too many ipAddrBlocks The ASN.1 profile in draft-ietf-sidrops-rfc6482bis section 4 specifies that there must not be more than 2 ipAddrBlocks (one for IPv4, and one for IPv6). Compatible with all published ROAs. OK tb@ --- usr.sbin/rpki-client/roa.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/usr.sbin/rpki-client/roa.c b/usr.sbin/rpki-client/roa.c index 4a40126531d..c9ddca720f4 100644 --- a/usr.sbin/rpki-client/roa.c +++ b/usr.sbin/rpki-client/roa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: roa.c,v 1.55 2022/11/04 09:43:13 job Exp $ */ +/* $OpenBSD: roa.c,v 1.56 2022/11/09 18:17:23 job Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2019 Kristaps Dzonsons @@ -111,6 +111,7 @@ roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) long maxlen; struct ip_addr ipaddr; struct roa_ip *res; + int ipaddrblocksz; int i, j, rc = 0; if ((roa = d2i_RouteOriginAttestation(NULL, &d, dsz)) == NULL) { @@ -128,7 +129,14 @@ roa_parse_econtent(const unsigned char *d, size_t dsz, struct parse *p) goto out; } - for (i = 0; i < sk_ROAIPAddressFamily_num(roa->ipAddrBlocks); i++) { + ipaddrblocksz = sk_ROAIPAddressFamily_num(roa->ipAddrBlocks); + if (ipaddrblocksz > 2) { + warnx("%s: draft-rfc6482bis: too many ipAddrBlocks " + "(got %d, expected 1 or 2)", p->fn, ipaddrblocksz); + goto out; + } + + for (i = 0; i < ipaddrblocksz; i++) { addrfam = sk_ROAIPAddressFamily_value(roa->ipAddrBlocks, i); addrs = addrfam->addresses; addrsz = sk_ROAIPAddress_num(addrs); -- 2.20.1