Copilot commented on code in PR #13117:
URL: https://github.com/apache/trafficserver/pull/13117#discussion_r3134548097
##########
src/iocore/net/TLSCertCompression_zlib.cc:
##########
@@ -53,6 +54,11 @@ compression_func_zlib(SSL * /* ssl */, CBB *out, const
uint8_t *in, size_t in_le
int
decompression_func_zlib(SSL * /* ssl */, CRYPTO_BUFFER **out, size_t
uncompressed_len, const uint8_t *in, size_t in_len)
{
+ if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
Review Comment:
On this early failure path, `*out` is left untouched. For consistency with
the other failure branches (which set `*out = nullptr`) and to avoid
propagating a stale pointer to the caller, explicitly set `*out = nullptr`
before returning 0.
```suggestion
if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
*out = nullptr;
```
##########
src/iocore/net/TLSCertCompression_zstd.cc:
##########
@@ -60,6 +61,11 @@ compression_func_zstd(SSL * /* ssl */, CBB *out, const
uint8_t *in, size_t in_le
int
decompression_func_zstd(SSL * /* ssl */, CRYPTO_BUFFER **out, size_t
uncompressed_len, const uint8_t *in, size_t in_len)
{
+ if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
Review Comment:
On this early failure path, `*out` is left untouched. For consistency with
the other failure branches (which set `*out = nullptr`) and to avoid
propagating a stale pointer to the caller, explicitly set `*out = nullptr`
before returning 0.
```suggestion
if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
*out = nullptr;
```
##########
src/iocore/net/TLSCertCompression.h:
##########
@@ -27,6 +27,11 @@
#include <vector>
#include <string>
+// RFC 8879 uses uint24 for uncompressed_length, allowing up to ~16 MB.
+// Real certificate chains are well under 64 KB — cap allocation to
+// prevent a decompression bomb from a malicious peer.
+constexpr size_t MAX_CERT_UNCOMPRESSED_LEN = 128 * 1024;
Review Comment:
This introduces new behavior (rejecting oversized `uncompressed_length`
values). Please add coverage (e.g., extend the existing
`tests/gold_tests/tls/tls_cert_comp.test.py` suite or add a focused unit test)
to verify an oversized value is rejected and the appropriate
`cert_decompress.*_failure` metric increments.
##########
src/iocore/net/TLSCertCompression_brotli.cc:
##########
@@ -55,6 +56,11 @@ compression_func_brotli(SSL * /* ssl */, CBB *out, const
uint8_t *in, size_t in_
int
decompression_func_brotli(SSL * /* ssl */, CRYPTO_BUFFER **out, size_t
uncompressed_len, const uint8_t *in, size_t in_len)
{
+ if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
Review Comment:
On this early failure path, `*out` is left untouched. For consistency with
the other failure branches (which set `*out = nullptr`) and to avoid
propagating a stale pointer to the caller, explicitly set `*out = nullptr`
before returning 0.
```suggestion
if (uncompressed_len > MAX_CERT_UNCOMPRESSED_LEN) {
*out = nullptr;
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
