From 5c7da89d404bf59c8dd82a001119a16d18365917 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 10:07:15 +0200 Subject: [PATCH] nss: return error if seemingly stuck in a cert loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2022-27781 Reported-by: Florian Kohnhäuser Bug: https://curl.se/docs/CVE-2022-27781.html Closes #8822 --- lib/vtls/nss.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 5b7de9f81895..569c0628feb5 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, PR_Free(common_name); } +/* A number of certs that will never occur in a real server handshake */ +#define TOO_MANY_CERTS 300 + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) { CURLcode result = CURLE_OK; @@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); while(cert2) { i++; + if(i >= TOO_MANY_CERTS) { + CERT_DestroyCertificate(cert2); + failf(data, "certificate loop"); + return CURLE_SSL_CERTPROBLEM; + } if(cert2->isRoot) { CERT_DestroyCertificate(cert2); break;