File curl-CVE-2022-27781.patch of Package curl.24877

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2022-27781.patch of Package curl.24877

From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 09:24:56 +0200
Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CVE-2022-27781

Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
---
 lib/vtls/nss.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5b7de9f81..569c0628f 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -981,10 +981,13 @@ static void display_cert_info(struct Curl_easy *data,
   PR_Free(subject);
   PR_Free(issuer);
   PR_Free(common_name);
 }
 
+/* A number of certs that will never occur in a real server handshake */
+#define TOO_MANY_CERTS 300
+
 static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
 {
   CURLcode result = CURLE_OK;
   SSLChannelInfo channel;
   SSLCipherSuiteInfo suite;
@@ -1016,10 +1019,15 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
       now = PR_Now();
       if(!cert->isRoot) {
         cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
         while(cert2) {
           i++;
+          if(i >= TOO_MANY_CERTS) {
+            CERT_DestroyCertificate(cert2);
+            failf(data, "certificate loop");
+            return CURLE_SSL_CERTPROBLEM;
+          }
           if(cert2->isRoot) {
             CERT_DestroyCertificate(cert2);
             break;
           }
           cert3 = CERT_FindCertIssuer(cert2, now, certUsageSSLCA);
-- 
2.36.0

Places

File curl-CVE-2022-27781.patch of Package curl.24877

Places