-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential use after free in callers of X509v3_asid_add_id_or_range() #22700
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
triaged: bug
The issue/pr is/fixes a bug
Comments
botovq
changed the title
Potential use after free in callers of X509v3_addr_add_id_or_range()
Potential use after free in callers of X509v3_asid_add_id_or_range()
Nov 11, 2023
t8m
added
branch: master
Merge to master branch
triaged: bug
The issue/pr is/fixes a bug
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
and removed
issue: bug report
The issue was opened to report a bug
labels
Nov 13, 2023
how about this for a simple fix?
maybe with a comment at the sk_ASIdOrRange_push below, that it cannot fail |
On Mon, Nov 13, 2023 at 06:59:01PM -0800, Bernd Edlinger wrote:
how about this for a simple fix?
Sure, that will fix part of the many bugs here, but you won't be able to
backport this to 1.1 (if you care to do so).
|
I will certainly back port that to my 1.1.1 feature branch: |
the point is that this api can still leave asid in an incoherent state. you should not have an empty stack there, for example. incrementally populating asid is a bad idea to begin with.
…On Tue, Nov 14, 2023, at 10:55 AM, Bernd Edlinger wrote:
I will certainly back port that to my 1.1.1 feature branch:
https://github.com/bernd-edlinger/openssl/tree/openssl-111-features
I have lots of similar fixes in the queue.
—
Reply to this email directly, view it on GitHub
<#22700 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACVVQA7IIXFEI5I3WLUBDA3YENEZVAVCNFSM6AAAAAA7HGRBCGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBZHE4DCNJUGE>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
bernd-edlinger
added a commit
to bernd-edlinger/openssl
that referenced
this issue
Nov 15, 2023
And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700
bernd-edlinger
added a commit
to bernd-edlinger/openssl
that referenced
this issue
Dec 1, 2023
And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22745) (cherry picked from commit 49e9436)
wbeck10
pushed a commit
to wbeck10/openssl
that referenced
this issue
Jan 8, 2024
And clean up partially created choice objects, which have still the default type = -1 from ASIdentifierChoice_new(). Fixes openssl#22700 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22745)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
branch: 3.2
Merge to openssl-3.2
triaged: bug
The issue/pr is/fixes a bug
The RFC 3779 code is undocumented, not very well designed and thus rather dangerous public OpenSSL API. It's full of traps and bugs. It should at least be warned against if not documented. Fortunately, almost no one uses it, but there is now an attempt at exposing bindings to Rust: sfackler/rust-openssl#2053 .
The only internal caller
v2i_ASIdentifiers()
ofX509v3_asid_ad_id_or_range()
allocates and passes one or twoASN1_INTEGER
s and frees them on failure.Towards the end of
X509v3_asid_ad_id_or_range()
, ownership ofmin
andmax
is transferred toaor
:openssl/crypto/x509/v3_asid.c
Lines 218 to 221 in 9e75a0b
Subsequently,
aor
is pushed onto a part ofasid
. If the push fails,aor
is freed andmin
andmax
with it.openssl/crypto/x509/v3_asid.c
Lines 223 to 229 in 9e75a0b
Here's the fix I landed earlier today: openbsd/src@9b790dc .
The text was updated successfully, but these errors were encountered: