From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 08:07:15 +0000 (+0200)
Subject: nss: return error if seemingly stuck in a cert loop
X-Git-Tag: curl-7_83_1~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5c7da89d404bf59c8dd82a001119a16d18365917;p=thirdparty%2Fcurl.git

nss: return error if seemingly stuck in a cert loop

CVE-2022-27781

Reported-by: Florian Kohnhäuser
Bug: https://curl.se/docs/CVE-2022-27781.html
Closes #8822
---

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 5b7de9f818..569c0628fe 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data,
   PR_Free(common_name);
 }
 
+/* A number of certs that will never occur in a real server handshake */
+#define TOO_MANY_CERTS 300
+
 static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
 {
   CURLcode result = CURLE_OK;
@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
         cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
         while(cert2) {
           i++;
+          if(i >= TOO_MANY_CERTS) {
+            CERT_DestroyCertificate(cert2);
+            failf(data, "certificate loop");
+            return CURLE_SSL_CERTPROBLEM;
+          }
           if(cert2->isRoot) {
             CERT_DestroyCertificate(cert2);
             break;