kris
/
boringssl
1
0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
Преглед изворни кода

Fix out-of-memory condition in conf. 

conf has the ability to expand variables in config files. Repeatedly doing
this can lead to an exponential increase in the amount of memory required.
This places a limit on the length of a value that can result from an
expansion.

Credit to OSS-Fuzz for finding this problem.

(Imported from upstream's 6a6213556a. This
also import's upstream's ee1ccd0a41 which
we had previously missed.)

Change-Id: I9be06a7e8a062b5adcd00c974a7b245226123563
Reviewed-on: https://boringssl-review.googlesource.com/14316
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
David Benjamin пре 7 година
committed by CQ bot account: commit-bot@chromium.org
родитељ
fd67f61bb4
комит
2d05568a7b
3 измењених фајлова са 15 додато и 1 уклоњено
Подељен поглед
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -1
      crypto/conf/conf.c
  2. +1
    -0
      crypto/err/conf.errordata
  3. +1
    -0
      include/openssl/conf.h

+ 13
- 1
crypto/conf/conf.c Прегледај датотеку

@@ -69,6 +69,10 @@
#include "../internal.h"


/* The maximum length we can grow a value to after variable expansion. 64k
* should be more than enough for all reasonable uses. */
#define MAX_CONF_VALUE_LENGTH 65536

static uint32_t conf_value_hash(const CONF_VALUE *v) {
return (lh_strhash(v->section) << 2) ^ lh_strhash(v->name);
}
@@ -316,7 +320,15 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) {
OPENSSL_PUT_ERROR(CONF, CONF_R_VARIABLE_HAS_NO_VALUE);
goto err;
}
BUF_MEM_grow_clean(buf, (strlen(p) + buf->length - (e - from)));
size_t newsize = strlen(p) + buf->length - (e - from);
if (newsize > MAX_CONF_VALUE_LENGTH) {
OPENSSL_PUT_ERROR(CONF, CONF_R_VARIABLE_EXPANSION_TOO_LONG);
goto err;
}
if (!BUF_MEM_grow_clean(buf, newsize)) {
OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
goto err;
}
while (*p) {
buf->data[to++] = *(p++);
}


+ 1
- 0
crypto/err/conf.errordata Прегледај датотеку

@@ -3,4 +3,5 @@ CONF,101,MISSING_CLOSE_SQUARE_BRACKET
CONF,102,MISSING_EQUAL_SIGN
CONF,103,NO_CLOSE_BRACE
CONF,104,UNABLE_TO_CREATE_NEW_SECTION
CONF,106,VARIABLE_EXPANSION_TOO_LONG
CONF,105,VARIABLE_HAS_NO_VALUE

+ 1
- 0
include/openssl/conf.h Прегледај датотеку

@@ -180,5 +180,6 @@ BORINGSSL_MAKE_DELETER(CONF, NCONF_free)
#define CONF_R_NO_CLOSE_BRACE 103
#define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 104
#define CONF_R_VARIABLE_HAS_NO_VALUE 105
#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 106

#endif /* OPENSSL_HEADER_THREAD_H */

Write Preview
Loading…
Откажи
Сачувај