You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems that a stack-overflow has recently been introduced into the function getASN1Element() in lib/vtls/x509asn1.c:219:
staticconstchar*getASN1Element(structCurl_asn1Element*elem,
constchar*beg, constchar*end)
{
// --- snip ---elseif(!(b &= 0x7F)) {
/* Unspecified length. Since we have all the data, we can determine the effective length by skipping element until an end element is found. */if(!elem->constructed)
returnNULL;
elem->beg=beg;
while(beg<end&&*beg) {
beg=getASN1Element(&lelem, beg, end);
if(!beg)
returnNULL;
}
// --- snip ---
}
A specifically crafted x509 certificate can cause a lot of recursions by repeatedly triggering beg = getASN1Element(&lelem, beg, end); that eventually overflow the stack area and cause an abnormal crash of curl or a client using libcurl. This works because getASN1Element() calls itself again in line 219 after consuming two specific bytes from the certificate. Since only two bytes of ASN1 data are needed for a new invocation of getASN1Element(), a relatively small, malicious certificate can already cause a DOS.
According to your vuln-disclosure-policy you don't consider this to be a security vulnerability, so I report it here as an issue. I did not make a PR because I am unsure how to best fix this.
@z2-2z thanks for the report and the samples. I propose to fix this via #16137, where I limited the recursion level to 16. I believe that should be enough to parse valid certificates and work on all architectures.
Would you care to review (once I get the CI kinds ironed out)? Thanks.
I did this
It seems that a stack-overflow has recently been introduced into the function
getASN1Element()
in lib/vtls/x509asn1.c:219:A specifically crafted x509 certificate can cause a lot of recursions by repeatedly triggering
beg = getASN1Element(&lelem, beg, end);
that eventually overflow the stack area and cause an abnormal crash of curl or a client using libcurl. This works becausegetASN1Element()
calls itself again in line 219 after consuming two specific bytes from the certificate. Since only two bytes of ASN1 data are needed for a new invocation ofgetASN1Element()
, a relatively small, malicious certificate can already cause a DOS.According to your vuln-disclosure-policy you don't consider this to be a security vulnerability, so I report it here as an issue. I did not make a PR because I am unsure how to best fix this.
Here you can find a concrete certificate that triggers the stack-overflow when directly fed into
Curl_parseX509()
:crash-3571ec1518df2d194685a4345a601d10d86c2ed0.txt
I expected the following
Graceful handling of the invalid certificate without crashing.
curl/libcurl version
commit 4f95f32
operating system
Linux <redacted> 6.12.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 19 Dec 2024 21:29:01 +0000 x86_64 GNU/Linu
The text was updated successfully, but these errors were encountered: