| From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 9 May 2022 10:07:15 +0200 |
| Subject: [PATCH] nss: return error if seemingly stuck in a cert loop |
| |
| CVE-2022-27781 |
| |
| Reported-by: Florian Kohnhรคuser |
| Bug: https://curl.se/docs/CVE-2022-27781.html |
| Closes #8822 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/vtls/nss.c | 8 ++++++++ |
| 1 file changed, 8 insertions(+) |
| |
| diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c |
| index 558e3be..52f2060 100644 |
| --- a/lib/vtls/nss.c |
| +++ b/lib/vtls/nss.c |
| @@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, |
| PR_Free(common_name); |
| } |
| |
| +/* A number of certs that will never occur in a real server handshake */ |
| +#define TOO_MANY_CERTS 300 |
| + |
| static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) |
| { |
| CURLcode result = CURLE_OK; |
| @@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) |
| cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); |
| while(cert2) { |
| i++; |
| + if(i >= TOO_MANY_CERTS) { |
| + CERT_DestroyCertificate(cert2); |
| + failf(data, "certificate loop"); |
| + return CURLE_SSL_CERTPROBLEM; |
| + } |
| if(cert2->isRoot) { |
| CERT_DestroyCertificate(cert2); |
| break; |