{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1752655737, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"de1a142d1cc52805986e028d9be3c1bf", "commit": {"type":"commit", "time": 1489277954, "time_ofs": 0, "oid_tree": { "oid": "89aabb7a9041e1c7cd13a87265551adb6b469581", "alias": []}, "oid":{ "oid": "8a585601fea1091022034dd14b961c1ecd5916c3", "alias": []}, "msg": "Fix out-of-memory condition in conf", "sig_commit": { "git_time": { "time": 1489277954, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }, "sig_author": { "git_time": { "time": 1489143095, "offset": 0 }, "name": "Matt Caswell", "email": "matt@openssl.org", "md5": "10f7b441a32d5790efad9fc68cae4af2" }}, "body": "Fix out-of-memory condition in conf\n\nconf has the ability to expand variables in config files. Repeatedly doing\nthis can lead to an exponential increase in the amount of memory required.\nThis places a limit on the length of a value that can result from an\nexpansion.\n\nCredit to OSS-Fuzz for finding this problem.\n\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/2894)" , "diff": "diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c\nindex 8861b3a..a7b11d1 100644\n--- a/crypto/conf/conf_def.c\n+++ b/crypto/conf/conf_def.c\n@@ -20,6 +20,12 @@\n #include \u003copenssl/buffer.h\u003e\n #include \u003copenssl/err.h\u003e\n \n+/*\n+ * The maximum length we can grow a value to after variable expansion. 64k\n+ * should be more than enough for all reasonable uses.\n+ */\n+#define MAX_CONF_VALUE_LENGTH 65536\n+\n static char *eat_ws(CONF *conf, char *p);\n static char *eat_alpha_numeric(CONF *conf, char *p);\n static void clear_comments(CONF *conf, char *p);\n@@ -457,6 +463,8 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)\n } else if (IS_EOF(conf, *from))\n break;\n else if (*from \u003d\u003d '$') {\n+ size_t newsize;\n+\n /* try to expand it */\n rrp \u003d NULL;\n s \u003d \u0026(from[1]);\n@@ -511,8 +519,12 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)\n CONFerr(CONF_F_STR_COPY, CONF_R_VARIABLE_HAS_NO_VALUE);\n goto err;\n }\n- if (!BUF_MEM_grow_clean(buf,\n- (strlen(p) + buf-\u003elength - (e - from)))) {\n+ newsize \u003d strlen(p) + buf-\u003elength - (e - from);\n+ if (newsize \u003e MAX_CONF_VALUE_LENGTH) {\n+ CONFerr(CONF_F_STR_COPY, CONF_R_VARIABLE_EXPANSION_TOO_LONG);\n+ goto err;\n+ }\n+ if (!BUF_MEM_grow_clean(buf, newsize)) {\n CONFerr(CONF_F_STR_COPY, ERR_R_MALLOC_FAILURE);\n goto err;\n }\ndiff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c\nindex b583c05..0863bc4 100644\n--- a/crypto/conf/conf_err.c\n+++ b/crypto/conf/conf_err.c\n@@ -1,6 +1,6 @@\n /*\n * Generated by util/mkerr.pl DO NOT EDIT\n- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \u0022License\u0022). You may not use\n * this file except in compliance with the License. You can obtain a copy\n@@ -60,6 +60,8 @@ static ERR_STRING_DATA CONF_str_reasons[] \u003d {\n {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION),\n \u0022unable to create new section\u0022},\n {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME), \u0022unknown module name\u0022},\n+ {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG),\n+ \u0022variable expansion too long\u0022},\n {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), \u0022variable has no value\u0022},\n {0, NULL}\n };\ndiff --git a/doc/man5/config.pod b/doc/man5/config.pod\nindex 24ebafb..ba9a8ab 100644\n--- a/doc/man5/config.pod\n+++ b/doc/man5/config.pod\n@@ -44,7 +44,8 @@ or B\u003c${section::name}\u003e. By using the form B\u003c$ENV::name\u003e environment\n variables can be substituted. It is also possible to assign values to\n environment variables by using the name B\u003cENV::name\u003e, this will work\n if the program looks up environment variables using the B\u003cCONF\u003e library\n-instead of calling getenv() directly.\n+instead of calling getenv() directly. The value string must not exceed 64k in\n+length after variable expansion. Otherwise an error will occur.\n \n It is possible to escape certain characters by using any kind of quote\n or the B\u003c\u005c\u003e character. By making the last character of a line a B\u003c\u005c\u003e\ndiff --git a/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823 b/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823\nnew file mode 100644\nindex 0000000..b0ed191\n--- /dev/null\n+++ b/fuzz/corpora/conf/0d7ad6e04c0235cdc590756ceec867a05cff5823\n@@ -0,0 +1,41 @@\n+\u003d;2I8\n+\u003d$$$$$$󠁉\n+\u003d$$$$$$$\n+\u003d$$$\n+\u003d$$$󠁷\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$󠁷\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$$$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$$$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$\n+\u003d$$$\n+\u003d$$$$$$$\n+\u003d$$$\n+\u003d$󠁝$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$\n+\u003d$$$$$\n\u005c No newline at end of file\ndiff --git a/include/openssl/conf.h b/include/openssl/conf.h\nindex 462e3c9..980a51b 100644\n--- a/include/openssl/conf.h\n+++ b/include/openssl/conf.h\n@@ -208,6 +208,7 @@ int ERR_load_CONF_strings(void);\n # define CONF_R_NO_VALUE 108\n # define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103\n # define CONF_R_UNKNOWN_MODULE_NAME 113\n+# define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116\n # define CONF_R_VARIABLE_HAS_NO_VALUE 104\n \n # ifdef __cplusplus\n","s":{"c":1752655737,"u": 29061}} ],"g": 30969,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}