CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2021/03/12 08:53:38
Modified files:
lib/libcrypto/x509: x509_constraints.c x509_internal.h
x509_verify.c
Log message:
Fix checks of memory caps of constraints names
x509_internal.h defines caps on the number of name constraints and
other names (such as subjectAltNames) that we want to allocate per
cert chain. These limits are checked too late. In a particularly
silly cert that jan found on ugos.ugm.ac.id 443, we ended up
allocating six times 2048 x509_constraint_name structures before
deciding that these are more than 512.
Fix this by adding a names_max member to x509_constraints_names which
is set on allocation against which each addition of a name is checked.
cluebat/ok jsing
ok inoguchi on earlier version
