Re: Segfault in x509_constraints_uri_host

Sun, 27 Nov 2022 09:56:51 -0800 

On Sun, Nov 27, 2022 at 05:07:20PM +0000, Anton Borowka wrote:
> Hi,
> 
> I was trying to create a certificate with an URI SAN using
> p5-io-socket-ssl and got a segfault in
> lib/libcrypto/x509/x509_constraints.c:x509_constraints_uri_host()
> 
>   perl -MIO::Socket::SSL::Utils -le 'CERT_create
>   ext=>[{sn=>"subjectAltName",data=>"URI:urn:open62541.server.application"}]'
> 
> I think it is a regression since the "Fix URI name constraints, allow
> for URI's with no host part." change in
> x509_constraints.c. x509_constraints_uri_host() is called from
> x509_alt.c:v2i_GENERAL_NAME_ex() with NULL as hostpart which can not be
> dereferenced.
> 
> The diff below adds a check for NULL and fixed the issue for me.

Thanks. Can also be triggered with

        openssl req -new -addext 'subjectAltName = URI:urn:blah'

Below the original diff with a small tweak to the constraints regress
that would have triggered the issue.

Not really a big deal since it can only be reached via v2i.

Unless I hear objections, I'm going to commit this tomorrow.

Index: lib/libcrypto/x509/x509_constraints.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_constraints.c,v
retrieving revision 1.29
diff -u -p -r1.29 x509_constraints.c
--- lib/libcrypto/x509/x509_constraints.c       11 Nov 2022 12:02:34 -0000      
1.29
+++ lib/libcrypto/x509/x509_constraints.c       27 Nov 2022 17:27:19 -0000
@@ -530,7 +530,8 @@ x509_constraints_uri_host(uint8_t *uri, 
                 * we indicate that we have a URI with an empty
                 * host part, and succeed.
                 */
-               *hostpart = strdup("");
+               if (hostpart != NULL)
+                       *hostpart = strdup("");
                return 1;
        }
        for (i = authority - uri; i < len; i++) {
Index: regress/lib/libcrypto/x509/constraints.c
===================================================================
RCS file: /cvs/src/regress/lib/libcrypto/x509/constraints.c,v
retrieving revision 1.14
diff -u -p -r1.14 constraints.c
--- regress/lib/libcrypto/x509/constraints.c    23 Nov 2022 23:06:16 -0000      
1.14
+++ regress/lib/libcrypto/x509/constraints.c    27 Nov 2022 17:48:41 -0000
@@ -466,6 +466,8 @@ test_constraints1(void)
                        char *hostpart = NULL;
                        error = 0;
                        if (!x509_constraints_uri_host(noauthority[j],
+                           strlen(noauthority[j]), NULL) ||
+                           !x509_constraints_uri_host(noauthority[j],
                            strlen(noauthority[j]), &hostpart)) {
                                FAIL("name '%s' should parse as a URI",
                                    noauthority[j]);

Reply via email to