43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
Backport of:
|
|
|
|
From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Tue, 3 May 2022 09:24:56 +0200
|
|
Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2022-27781
|
|
|
|
Reported-by: Florian Kohnhäuser
|
|
Bug: https://curl.se/docs/CVE-2022-27781.html
|
|
---
|
|
lib/vtls/nss.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -949,6 +949,9 @@ static void display_cert_info(struct Cur
|
|
PR_Free(common_name);
|
|
}
|
|
|
|
+/* A number of certs that will never occur in a real server handshake */
|
|
+#define TOO_MANY_CERTS 300
|
|
+
|
|
static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
|
|
{
|
|
CURLcode result = CURLE_OK;
|
|
@@ -985,6 +988,11 @@ static CURLcode display_conn_info(struct
|
|
cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
|
|
while(cert2) {
|
|
i++;
|
|
+ if(i >= TOO_MANY_CERTS) {
|
|
+ CERT_DestroyCertificate(cert2);
|
|
+ failf(conn->data, "certificate loop");
|
|
+ return CURLE_SSL_CERTPROBLEM;
|
|
+ }
|
|
if(cert2->isRoot) {
|
|
CERT_DestroyCertificate(cert2);
|
|
break;
|