Skip to content

Fix use-after-free possibility in GetCRLInfo #10693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
padelsbach wants to merge 1 commit into
base: master
Choose a base branch
from
+39 −12
Open

Fix use-after-free possibility in GetCRLInfo #10693

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 27 additions & 12 deletions src/crl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -687,13 +687,22 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
#ifdef HAVE_CRL_UPDATE_CB
static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info)
{
info->issuerHash = (byte *)entry->issuerHash;
info->issuerHashLen = CRL_DIGEST_SIZE;
info->lastDate = (byte *)entry->lastDate;
info->lastDateMaxLen = MAX_DATE_SIZE;
/* Ensure the copy below stays within bounds. */
wc_static_assert(sizeof(info->issuerHashData) == sizeof(entry->issuerHash));

/* Copy into info's own buffers so the pointers stay valid for the
* lifetime of the CrlInfo, not just that of the source entry. */
info->issuerHashLen = sizeof(info->issuerHashData);
XMEMCPY(info->issuerHashData, entry->issuerHash,
sizeof(info->issuerHashData));
info->issuerHash = info->issuerHashData;
info->lastDateMaxLen = sizeof(info->lastDateData);
XMEMCPY(info->lastDateData, entry->lastDate, sizeof(info->lastDateData));
info->lastDate = info->lastDateData;
info->lastDateFormat = entry->lastDateFormat;
info->nextDate = (byte *)entry->nextDate;
info->nextDateMaxLen = MAX_DATE_SIZE;
info->nextDateMaxLen = sizeof(info->nextDateData);
XMEMCPY(info->nextDateData, entry->nextDate, sizeof(info->nextDateData));
info->nextDate = info->nextDateData;
info->nextDateFormat = entry->nextDateFormat;
info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
Expand All @@ -702,13 +711,19 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info)

static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
{
info->issuerHash = (byte *)entry->issuerHash;
info->issuerHashLen = SIGNER_DIGEST_SIZE;
info->lastDate = (byte *)entry->lastDate;
info->lastDateMaxLen = MAX_DATE_SIZE;
/* Copy into info's own buffers so the pointers stay valid after the
* decoded CRL is freed by the caller. */
info->issuerHashLen = sizeof(info->issuerHashData);
XMEMCPY(info->issuerHashData, entry->issuerHash,
sizeof(info->issuerHashData));
info->issuerHash = info->issuerHashData;
info->lastDateMaxLen = sizeof(info->lastDateData);
XMEMCPY(info->lastDateData, entry->lastDate, sizeof(info->lastDateData));
info->lastDate = info->lastDateData;
info->lastDateFormat = entry->lastDateFormat;
info->nextDate = (byte *)entry->nextDate;
info->nextDateMaxLen = MAX_DATE_SIZE;
info->nextDateMaxLen = sizeof(info->nextDateData);
XMEMCPY(info->nextDateData, entry->nextDate, sizeof(info->nextDateData));
info->nextDate = info->nextDateData;
info->nextDateFormat = entry->nextDateFormat;
info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
Expand Down
9 changes: 9 additions & 0 deletions tests/api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26119,6 +26119,15 @@ static int test_wolfSSL_CTX_LoadCRL_largeCRLnum(void)
WOLFSSL_SUCCESS);
AssertIntEQ(XMEMCMP(
crlInfo.crlNumber, exp_crlnum, XSTRLEN(exp_crlnum)), 0);
/* The pointer fields must reference storage inside crlInfo so they stay
* valid after the call returns; before the fix they pointed into the
* freed decoded CRL. */
AssertTrue((byte*)crlInfo.issuerHash >= (byte*)&crlInfo &&
(byte*)crlInfo.issuerHash < (byte*)(&crlInfo + 1));
AssertTrue((byte*)crlInfo.lastDate >= (byte*)&crlInfo &&
(byte*)crlInfo.lastDate < (byte*)(&crlInfo + 1));
AssertTrue((byte*)crlInfo.nextDate >= (byte*)&crlInfo &&
(byte*)crlInfo.nextDate < (byte*)(&crlInfo + 1));
ExpectIntEQ(wolfSSL_CertManagerGetCRLInfo(
cm, &crlInfo, crlLrgCrlNumBuff, -1, WOLFSSL_FILETYPE_PEM),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
Expand Down
3 changes: 3 additions & 0 deletions wolfssl/ssl.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4021,6 +4021,9 @@ typedef struct CrlInfo {
word32 nextDateMaxLen;
byte nextDateFormat;
byte crlNumberSet:1;
byte issuerHashData[SIGNER_DIGEST_SIZE];

@padelsbach padelsbach Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added these buffers alongside the existing pointers rather than changing the pointers to arrays so that this change does not break the API/ABI

byte lastDateData[MAX_DATE_SIZE];
byte nextDateData[MAX_DATE_SIZE];
} CrlInfo;

typedef void (*CbUpdateCRL)(CrlInfo* old, CrlInfo* cnew);
Expand Down
Loading