[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Sun Mar 12 00:35:05 UTC 2017 

The branch OpenSSL_1_1_0-stable has been updated
       via  c2f9144e52a3168a6faca83839367b0adfedfc50 (commit)
      from  a3b56f2f43b4f405a7023f055520075e327501bd (commit)


- Log -----------------------------------------------------------------
commit c2f9144e52a3168a6faca83839367b0adfedfc50
Author: Matt Caswell <matt at openssl.org>
Date:   Fri Mar 10 10:51:35 2017 +0000

    Fix out-of-memory condition in conf
    
    conf has the ability to expand variables in config files. Repeatedly doing
    this can lead to an exponential increase in the amount of memory required.
    This places a limit on the length of a value that can result from an
    expansion.
    
    Credit to OSS-Fuzz for finding this problem.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2894)
    (cherry picked from commit 8a585601fea1091022034dd14b961c1ecd5916c3)

-----------------------------------------------------------------------

Summary of changes:
 crypto/conf/conf_def.c                             | 16 +++++++--
 crypto/conf/conf_err.c                             |  4 ++-
 doc/apps/config.pod                                |  3 +-
 .../conf/0d7ad6e04c0235cdc590756ceec867a05cff5823  | 41 ++++++++++++++++++++++
 include/openssl/conf.h                             |  1 +
 5 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823

diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index 8861b3a..a7b11d1 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -20,6 +20,12 @@
 #include <openssl/buffer.h>
 #include <openssl/err.h>
 
+/*
+ * The maximum length we can grow a value to after variable expansion. 64k
+ * should be more than enough for all reasonable uses.
+ */
+#define MAX_CONF_VALUE_LENGTH       65536
+
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
 static void clear_comments(CONF *conf, char *p);
@@ -457,6 +463,8 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
         } else if (IS_EOF(conf, *from))
             break;
         else if (*from == '$') {
+            size_t newsize;
+
             /* try to expand it */
             rrp = NULL;
             s = &(from[1]);
@@ -511,8 +519,12 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                 CONFerr(CONF_F_STR_COPY, CONF_R_VARIABLE_HAS_NO_VALUE);
                 goto err;
             }
-            if (!BUF_MEM_grow_clean(buf,
-                        (strlen(p) + buf->length - (e - from)))) {
+            newsize = strlen(p) + buf->length - (e - from);
+            if (newsize > MAX_CONF_VALUE_LENGTH) {
+                CONFerr(CONF_F_STR_COPY, CONF_R_VARIABLE_EXPANSION_TOO_LONG);
+                goto err;
+            }
+            if (!BUF_MEM_grow_clean(buf, newsize)) {
                 CONFerr(CONF_F_STR_COPY, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c
index b583c05..0863bc4 100644
--- a/crypto/conf/conf_err.c
+++ b/crypto/conf/conf_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -60,6 +60,8 @@ static ERR_STRING_DATA CONF_str_reasons[] = {
     {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),
      "unable to create new section"},
     {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME), "unknown module name"},
+    {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG),
+     "variable expansion too long"},
     {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"},
     {0, NULL}
 };
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index a9cde89..76f282f 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -46,7 +46,8 @@ or B<${section::name}>. By using the form B<$ENV::name> environment
 variables can be substituted. It is also possible to assign values to
 environment variables by using the name B<ENV::name>, this will work
 if the program looks up environment variables using the B<CONF> library
-instead of calling getenv() directly.
+instead of calling getenv() directly. The value string must not exceed 64k in
+length after variable expansion. Otherwise an error will occur.
 
 It is possible to escape certain characters by using any kind of quote
 or the B<\> character. By making the last character of a line a B<\>
diff --git a/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823 b/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823
new file mode 100644
index 0000000..b0ed191
--- /dev/null
+++ b/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823
@@ -0,0 +1,41 @@
+=;2I8
+=$$$$$$󠁉
+=$$$$$$$
+=$$$
+=$$$󠁷
+=$$$
+=$$$
+=$$$
+=
+=$$$
+=$$$
+=$$$󠁷
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$$$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$$$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$
+=$$$
+=$$$$$$$
+=$$$
+=$󠁝$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$
+=$$$$$
\ No newline at end of file
diff --git a/include/openssl/conf.h b/include/openssl/conf.h
index 462e3c9..980a51b 100644
--- a/include/openssl/conf.h
+++ b/include/openssl/conf.h
@@ -208,6 +208,7 @@ int ERR_load_CONF_strings(void);
 # define CONF_R_NO_VALUE                                  108
 # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION              103
 # define CONF_R_UNKNOWN_MODULE_NAME                       113
+# define CONF_R_VARIABLE_EXPANSION_TOO_LONG               116
 # define CONF_R_VARIABLE_HAS_NO_VALUE                     104
 
 # ifdef  __cplusplus

More information about the openssl-commits mailing list