nds_gtls: fix regression that could lead to attack (never released ve…

…rsion) Commit 7589f42 introduced support for loading certificate chains. Unfortunatley the max number of permitted certificates was miscalculated and so a certificate chain with more than 10 certificates could lead to a buffer overrun. This patch corrects this. Note that the commit was merged just yesterday and there was no release with the affected code. Also, this commit adds GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED to ensure the certificate export will fail with an error message if the certificate list contains too many certificates. Thx to Arne Nordmark for suggesting that option.
rsyslog · Jun 14, 2018 · b4a3d76 · b4a3d76
1 parent 171c5eb
commit b4a3d76
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
@@ -182,7 +182,6 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
 	gnutls_datum_t data = { NULL, 0 };
 	uchar *keyFile;
 	uchar *certFile;
-	int lenRcvd;
 
 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
 
@@ -202,10 +201,11 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
 
 	/* try load certificate */
 	CHKiRet(readFile(certFile, &data));
-	pThis->nOurCerts=sizeof(pThis->pOurCerts);
-	lenRcvd=gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts, &data, GNUTLS_X509_FMT_PEM,0);
-	if (lenRcvd<0) {
-		CHKgnutls(lenRcvd);
+	pThis->nOurCerts = NSD_GTLS_MAX_CERT;
+	gnuRet = gnutls_x509_crt_list_import(pThis->pOurCerts, &pThis->nOurCerts,
+		&data, GNUTLS_X509_FMT_PEM,  GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+	if(gnuRet < 0) {
+		ABORTgnutls;
 	}
 	pThis->bOurCertIsInit = 1;
 	free(data.data);