Backport of: From 625924941cbd684c2a6b10d18aa6920a27c31db3 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 3 May 2022 09:24:56 +0200 Subject: [PATCH] nss: return error if seemingly stuck in a cert loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CVE-2022-27781 Reported-by: Florian Kohnhäuser Bug: https://curl.se/docs/CVE-2022-27781.html --- lib/vtls/nss.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -949,6 +949,9 @@ static void display_cert_info(struct Cur PR_Free(common_name); } +/* A number of certs that will never occur in a real server handshake */ +#define TOO_MANY_CERTS 300 + static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) { CURLcode result = CURLE_OK; @@ -985,6 +988,11 @@ static CURLcode display_conn_info(struct cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); while(cert2) { i++; + if(i >= TOO_MANY_CERTS) { + CERT_DestroyCertificate(cert2); + failf(conn->data, "certificate loop"); + return CURLE_SSL_CERTPROBLEM; + } if(cert2->isRoot) { CERT_DestroyCertificate(cert2); break;