aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-06-09 01:41:15 (GMT)
committerJouni Malinen <jouni@codeaurora.org>2019-06-11 03:34:19 (GMT)
commita6ed414c826647719b2b1e0cf37e75357275fa99 (patch)
tree07b2e7ff03aeb79ee0afa72fbd4f45450a666015
parentd438b4a3cebcceb443747346c8ad91666a1ef325 (diff)
downloadhostap-a6ed414c826647719b2b1e0cf37e75357275fa99.zip
hostap-a6ed414c826647719b2b1e0cf37e75357275fa99.tar.gz
hostap-a6ed414c826647719b2b1e0cf37e75357275fa99.tar.bz2
TLS: Be more careful in X.509 Time parsing
sscanf() can apparently read beyond the end of the buffer even if the maximum length of the integer is specified in the format string. Replace this parsing mechanism with helper functions that use sscanf() with NUL terminated string to avoid this. Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15158 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/tls/x509v3.c58
1 files changed, 50 insertions, 8 deletions
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index fa4d442..d74b3a2 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -538,9 +538,43 @@ done:
}
+static int parse_uint2(const char *pos, size_t len)
+{
+ char buf[3];
+ int ret;
+
+ if (len < 2)
+ return -1;
+ buf[0] = pos[0];
+ buf[1] = pos[1];
+ buf[2] = 0x00;
+ if (sscanf(buf, "%2d", &ret) != 1)
+ return -1;
+ return ret;
+}
+
+
+static int parse_uint4(const char *pos, size_t len)
+{
+ char buf[5];
+ int ret;
+
+ if (len < 4)
+ return -1;
+ buf[0] = pos[0];
+ buf[1] = pos[1];
+ buf[2] = pos[2];
+ buf[3] = pos[3];
+ buf[4] = 0x00;
+ if (sscanf(buf, "%4d", &ret) != 1)
+ return -1;
+ return ret;
+}
+
+
int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
{
- const char *pos;
+ const char *pos, *end;
int year, month, day, hour, min, sec;
/*
@@ -554,6 +588,7 @@ int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
*/
pos = (const char *) buf;
+ end = pos + len;
switch (asn1_tag) {
case ASN1_TAG_UTCTIME:
@@ -562,7 +597,8 @@ int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
"UTCTime format", buf, len);
return -1;
}
- if (sscanf(pos, "%02d", &year) != 1) {
+ year = parse_uint2(pos, end - pos);
+ if (year < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse "
"UTCTime year", buf, len);
return -1;
@@ -579,7 +615,8 @@ int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
"GeneralizedTime format", buf, len);
return -1;
}
- if (sscanf(pos, "%04d", &year) != 1) {
+ year = parse_uint4(pos, end - pos);
+ if (year < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse "
"GeneralizedTime year", buf, len);
return -1;
@@ -592,35 +629,40 @@ int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
return -1;
}
- if (sscanf(pos, "%02d", &month) != 1) {
+ month = parse_uint2(pos, end - pos);
+ if (month < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(month)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &day) != 1) {
+ day = parse_uint2(pos, end - pos);
+ if (day < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(day)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &hour) != 1) {
+ hour = parse_uint2(pos, end - pos);
+ if (hour < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(hour)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &min) != 1) {
+ min = parse_uint2(pos, end - pos);
+ if (min < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(min)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &sec) != 1) {
+ sec = parse_uint2(pos, end - pos);
+ if (sec < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(sec)", buf, len);
return -1;