libcurl at commit 04739054cdac5a0614fb94e3655e313c03399f35 contains a NULL-dereference in function encodeDN()
when parsing the certificate of a server during the TLS connect-phase.
The vulnerable code is in lib/vtls/x509asn1.c:701:
static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn)
{
struct dynbuf temp;
Curl_dyn_init(&temp, MAX_X509_STR);
for(p1 = dn->beg; p1 < dn->end;) {
for(p2 = rdn.beg; p2 < rdn.end;) {
// --- snip ---
Curl_dyn_reset(&temp);
result = ASN1tostr(&temp, &oid, 0);
if(result)
goto error;
str = Curl_dyn_ptr(&temp);
/* Encode delimiter.
If attribute has a short uppercase name, delimiter is ", ". */
for(p3 = str; ISUPPER(*p3); p3++)
;
}
}
}
When the oid
that ASN1tostr
tries to convert to a string is an element that is constructed such that oid.constructed
is 1
ASN1tostr
returns without touching the dynbuf temp
. The following Curl_dyn_ptr()
returns NULL and ISUPPER(*p3)
causes
the application to crash.
The following exploit scenario demonstrates how to terminate an application using libcurl with the NULL dereference from above:
The null dereference causes a DOS on applications using libcurl to do TLS-encrypted connections.
It requires no special setup to trigger the crash, since it is triggered during the connect-phase of the
connection. Thus I chose severity “Low”.