Sākums Izpētīt Palīdzība
Pierakstīties
OWEALs
/
ucert
spogulis no https://git.openwrt.org/project/ucert.git
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Pārlūkot izejas kodu

fix certificate blob parsing vulnerability by using blob_parse_untrusted

blob_parse expects blobs from trusted inputs, but in this case it can be
supplied with possibly malicious certificates from untrusted inputs as
well, so in order to prevent such conditions, switch to
blob_parse_untrusted which should hopefully handle such inputs
appropriately.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
Petr Štetiar 4 gadi atpakaļ
vecāks
19a7225ac0
revīzija
14a279411c
1 mainītis faili ar 1 papildinājumiem un 1 dzēšanām
Dalītais skats Rādīt salīdzināšanas statistiku
  1. 1 1
      ucert.c

+ 1 - 1
ucert.c
Parādīt failu 

@@ -154,7 +154,7 @@ static int cert_load(const char *certfile, struct list_head *chain) {
 
 
 	bufpt = (struct blob_attr *)filebuf;
 
 	do {
 
-		pret = blob_parse(bufpt, certtb, cert_policy, CERT_ATTR_MAX);
 
+		pret = blob_parse_untrusted(bufpt, len, certtb, cert_policy, CERT_ATTR_MAX);
 
 		if (pret <= 0)
 
 			/* no attributes found */
 
 			break;