50 lines
1.6 KiB
Diff
50 lines
1.6 KiB
Diff
commit 6f3884fb41167f3bded9a46fedef1b2089ca00d2
|
|
Author: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon May 9 10:07:15 2022 +0200
|
|
|
|
[Backport] nss: return error if seemingly stuck in a cert loop
|
|
|
|
Offering: RTOS
|
|
CVE: CVE-2022-27781
|
|
Reference: upstream_commit_id=5c7da89d404bf59c8dd82a001119a16d18365917
|
|
|
|
DTS/AR: DTS2022051305838
|
|
type: LTS
|
|
reason: fix CVE-2022-27781 for curl.
|
|
weblink:https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917
|
|
|
|
CVE-2022-27781
|
|
|
|
Reported-by: Florian Kohnhäuser
|
|
Bug: https://curl.se/docs/CVE-2022-27781.html
|
|
Closes #8822
|
|
|
|
Signed-off-by: jiahuasheng <jiahuasheng@h-partners.com>
|
|
|
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
index cf657895f..e3782a4ee 100644
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -972,6 +972,9 @@ static void display_cert_info(struct Curl_easy *data,
|
|
PR_Free(common_name);
|
|
}
|
|
|
|
+/* A number of certs that will never occur in a real server handshake */
|
|
+#define TOO_MANY_CERTS 300
|
|
+
|
|
static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
|
|
{
|
|
CURLcode result = CURLE_OK;
|
|
@@ -1007,6 +1010,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
|
|
cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
|
|
while(cert2) {
|
|
i++;
|
|
+ if(i >= TOO_MANY_CERTS) {
|
|
+ CERT_DestroyCertificate(cert2);
|
|
+ failf(data, "certificate loop");
|
|
+ return CURLE_SSL_CERTPROBLEM;
|
|
+ }
|
|
if(cert2->isRoot) {
|
|
CERT_DestroyCertificate(cert2);
|
|
break;
|