44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 9 May 2022 10:07:15 +0200
|
|
Subject: [PATCH] nss: return error if seemingly stuck in a cert loop
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2022-27781
|
|
|
|
Reported-by: Florian Kohnhäuser
|
|
Bug: https://curl.se/docs/CVE-2022-27781.html
|
|
Closes #8822
|
|
---
|
|
lib/vtls/nss.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
index 5b7de9f81895..569c0628feb5 100644
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data,
|
|
PR_Free(common_name);
|
|
}
|
|
|
|
+/* A number of certs that will never occur in a real server handshake */
|
|
+#define TOO_MANY_CERTS 300
|
|
+
|
|
static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
|
|
{
|
|
CURLcode result = CURLE_OK;
|
|
@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
|
|
cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
|
|
while(cert2) {
|
|
i++;
|
|
+ if(i >= TOO_MANY_CERTS) {
|
|
+ CERT_DestroyCertificate(cert2);
|
|
+ failf(data, "certificate loop");
|
|
+ return CURLE_SSL_CERTPROBLEM;
|
|
+ }
|
|
if(cert2->isRoot) {
|
|
CERT_DestroyCertificate(cert2);
|
|
break;
|