From patchwork Thu Dec 19 22:04:21 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= <ynezz@true.cz>
X-Patchwork-Id: 1213776
X-Patchwork-Delegate: ynezz@true.cz
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=none (p=none dis=none) header.from=true.cz
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="OvW3KygH";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	key-exchange X25519 server-signature RSA-PSS (4096 bits)
	server-digest SHA256) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 47f5Zh6bfHz9sPJ
	for <incoming@patchwork.ozlabs.org>;
	Fri, 20 Dec 2019 09:07:08 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:References:
	In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	List-Owner; bh=hBDAGnF6nEOO+QShA8fGqqZwvh75Ingpvbz6ItANVpk=;
	b=OvW3KygHrv+P/E
	J16xxMy9rr3ZQmeHxmeZ92i4Te4gj014loaYMj+F4Uqg2aJY7GGT+cwl2UAj5ZdI99nP5u5Hk7xNs
	iC0RsOt7st9G25eWI9qKWqoXSBkgZt/1coAegyryZPO7MK5VO5SWzRms3u/IxID3eL/i7RSBg1gbL
	1t6B87KHNR/EnM/QNMDl3TOAX5stAvNRSkMb5rGWmsgylOkxdTwJWGyWGcIuriKo2BVa/h7+5jz94
	bBjzweMy00+CjWxPk4BtBfN3qIld53yg7pRQq+5feZt3/040lDn/Qnfw0nSd58Osbmu8rSuNBgbeS
	QXDVu+m8+O7HQRAlOQ1Q==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1ii3wp-0001QK-4l; Thu, 19 Dec 2019 22:07:07 +0000
Received: from smtp-out.xnet.cz ([178.217.244.18])
	by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat
	Linux)) id 1ii3uO-0003ms-9Z
	for openwrt-devel@lists.openwrt.org; Thu, 19 Dec 2019 22:04:46 +0000
Received: from meh.true.cz (meh.true.cz [108.61.167.218])
	(Authenticated sender: petr@true.cz)
	by smtp-out.xnet.cz (Postfix) with ESMTPSA id 6BFF24B99;
	Thu, 19 Dec 2019 23:04:31 +0100 (CET)
Received: by meh.true.cz (OpenSMTPD) with ESMTP id cefa8409;
	Thu, 19 Dec 2019 23:04:21 +0100 (CET)
From: =?utf-8?q?Petr_=C5=A0tetiar?= <ynezz@true.cz>
To: openwrt-devel@lists.openwrt.org
Date: Thu, 19 Dec 2019 23:04:21 +0100
Message-Id: <20191219220421.22206-10-ynezz@true.cz>
In-Reply-To: <20191219220421.22206-1-ynezz@true.cz>
References: <20191219220421.22206-1-ynezz@true.cz>
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20191219_140436_529858_33EF8870 
X-CRM114-Status: UNSURE (   9.54  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: 0.0 (/)
X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
	Content analysis details:   (0.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
	no trust [178.217.244.18 listed in list.dnswl.org]
	0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
	0.0 SPF_NONE SPF: sender does not publish an SPF Record
Subject: [OpenWrt-Devel] [PATCH ucert 9/9] fix certificate blob parsing
	vulnerability by using blob_parse_untrusted
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: =?utf-8?q?Petr_=C5=A0tetiar?= <ynezz@true.cz>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

blob_parse expects blobs from trusted inputs, but in this case it can be
supplied with possibly malicious certificates from untrusted inputs as
well, so in order to prevent such conditions, switch to
blob_parse_untrusted which should hopefully handle such inputs
appropriately.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
 ucert.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ucert.c b/ucert.c
index 76960a200be0..d822199eb7f8 100644
--- a/ucert.c
+++ b/ucert.c
@@ -154,7 +154,7 @@ static int cert_load(const char *certfile, struct list_head *chain) {
 
 	bufpt = (struct blob_attr *)filebuf;
 	do {
-		pret = blob_parse(bufpt, certtb, cert_policy, CERT_ATTR_MAX);
+		pret = blob_parse_untrusted(bufpt, len, certtb, cert_policy, CERT_ATTR_MAX);
 		if (pret <= 0)
 			/* no attributes found */
 			break;