Segfault in encodeDN #13684

Trzik · 2024-05-17T09:11:19Z

I did this

The issue happens when curl tries to parse this structure, specifically the OID 1.2.840.113549.1.9.2 - unstructuredName

The segfault (nullptr dereference) happens on this line:

curl/lib/vtls/x509asn1.c

Line 694 in fd0d2ed

for(p3 = str; ISUPPER(*p3); p3++)

The issue comes from OID2str when searchOID is invoked. OIDtable is searched, entry 1.2.840.113549.1.9.2 is not found and the function returns NULL. However, the result stays CURLE_OK so the calling code assumes the dynbuf is perfectly valid when it is in fact still in unallocated state.

For the record, the issue started occurring with commit 623c3a8 since version 8.6.0.

I'm also attaching a patch that may be helpful.
x509asn1.patch

I expected the following

Not a crash

curl/libcurl version

curl 8.6.0

operating system

Windows 10 (x64, 22631)

The text was updated successfully, but these errors were encountered:

to avoid crash when dereferencing a NULL pointer. Reported-by: Trzik on github Patch-by: Trzik on github Fixes #13684

bagder added crash TLS labels May 17, 2024

bagder self-assigned this May 17, 2024

bagder added a commit that referenced this issue May 17, 2024

x509asn1: return error on missing OID

30b49fb

to avoid crash when dereferencing a NULL pointer. Reported-by: Trzik on github Patch-by: Trzik on github Fixes #13684

bagder added the regression label May 17, 2024

bagder mentioned this issue May 17, 2024

x509asn1: return error on missing OID #13685

Closed

bagder closed this as completed in 13ca438 May 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault in encodeDN #13684

Segfault in encodeDN #13684

Trzik commented May 17, 2024

Segfault in encodeDN #13684

Segfault in encodeDN #13684

Comments

Trzik commented May 17, 2024

I did this

I expected the following

curl/libcurl version

operating system