Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Check for file bad size #2527

Closed
ManSoSec opened this issue Oct 24, 2019 · 8 comments · Fixed by #2598
Closed

Missing Check for file bad size #2527

ManSoSec opened this issue Oct 24, 2019 · 8 comments · Fixed by #2598
Assignees
@dgarske

Comments

@ManSoSec
Copy link

ManSoSec commented Oct 24, 2019
edited

src/ssl.c

There is following check in this function: wolfSSL_CertManagerVerify
after sz = XFTELL(file); XREWIND(file);:

if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) {
        WOLFSSL_MSG("CertManagerVerify file bad size");
        XFCLOSE(file);
        return WOLFSSL_BAD_FILE;
    }

While it is missed in wolfSSL_SetTmpDH_file_wrapper and ProcessFile
@dgarske dgarske self-assigned this Oct 24, 2019
@dgarske
Copy link
Contributor

dgarske commented Oct 24, 2019

Hi ManSoSec,

Thanks for pointing out that we are not consistent with the enforcement of MAX_WOLFSSL_FILE_SIZE. We will review and let you know the results.

Thanks,
David Garske, wolfSSL

@ManSoSec
Copy link
Author

ProcessFile function is in the same situation: missing the enforcement of MAX_WOLFSSL_FILE_SIZE

@ManSoSec
Copy link
Author

ManSoSec commented Nov 8, 2019

Hi @dgarske,

Is there any update on this issue? Thanks!

@dgarske
Copy link
Contributor

dgarske commented Nov 11, 2019

HI @ManSoSec : Thanks for checking in. It's on my list, but low priority. Is this causing you guys any issues?

Thanks,
David Garske, wolfSSL

@ManSoSec
Copy link
Author

Hi @dgarske, Thanks for your reply. Our research focuses on finding bugs and one of the tools we are testing is wolfSSL. We just wanted to be sure if this reported bug is a valid one. Feedbacks from the developers can help both parties to pursue more reliable research as well as fixing more valid bugs. Thanks!

dgarske added a commit to dgarske/wolfssl that referenced this issue Nov 18, 2019
@dgarske
Improvements for XFTELL return code and MAX_WOLFSSL_FILE_SIZE che…
ca5549a 
…cking.

Fixes wolfSSL#2527
@dgarske dgarske mentioned this issue Nov 18, 2019
Merged
@ManSoSec
Copy link
Author

ManSoSec commented Nov 20, 2019
edited

Hi @dgarske

May I ask what is the potential security consequence of the 14 missing checks? I feel one can be memory leak as big files can be sent to WolfSSL and XMALLOC
allocate memory to them so wasting the memory. Thanks!

@dgarske
Copy link
Contributor

dgarske commented Nov 20, 2019

Hi @ManSoSec ,

Again thank for your reporting this inconsistency. The PR #2598 just adds sanity checks for file sizes. In my opinion there is no security risk here. Someone would to have already compromised access to the file system and access the certificates being loaded. Then would have to enlarge the size of a file and load it with valid content. This would cause additional memory use, but not leaks.

Thanks,
David Garske, wolfSSL

@ManSoSec
Copy link
Author

Hi @dgarske

Sure! Thank you for the clarification!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgarske dgarske

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improvements to file size checks dgarske/wolfssl
2 participants
@dgarske @ManSoSec