From: William Lallemand Date: Sun, 3 Aug 2025 11:51:44 +0000 (+0200) Subject: BUG/MINOR: acme: possible integer underflow in acme_txt_record() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5e262fc523dfed13486ca93331fb32ee1a8f6d3;p=thirdparty%2Fhaproxy.git BUG/MINOR: acme: possible integer underflow in acme_txt_record() a2base64url() can return a negative value is olen is too short to accept ilen. This is not supposed to happen since the sha256 should always fit in a buffer. But this is confusing since a2base64() returns a signed integer which is pt in output->data which is unsigned. Fix the issue by setting ret to 0 instead of -1 upon error. And returns a unsigned integer instead of a signed one. This patch also checks the return value from the caller in order to emit an error instead of setting trash.data which is already done from the function. --- diff --git a/src/acme.c b/src/acme.c index 3be71dfcd..5cd9b8a15 100644 --- a/src/acme.c +++ b/src/acme.c @@ -898,7 +898,7 @@ error: * https://datatracker.ietf.org/doc/html/rfc8555/#section-8.4 * */ -int acme_txt_record(const struct ist thumbprint, const struct ist token, struct buffer *output) +unsigned int acme_txt_record(const struct ist thumbprint, const struct ist token, struct buffer *output) { unsigned char md[EVP_MAX_MD_SIZE]; struct buffer *tmp = NULL; @@ -917,7 +917,8 @@ int acme_txt_record(const struct ist thumbprint, const struct ist token, struct goto out; ret = a2base64url((const char *)md, size, output->area, output->size); - + if (ret < 0) + ret = 0; output->data = ret; out: @@ -1583,8 +1584,11 @@ int acme_res_auth(struct task *task, struct acme_ctx *ctx, struct acme_auth *aut struct sink *dpapi; struct ist line[7]; + if (acme_txt_record(ist(ctx->cfg->account.thumbprint), auth->token, &trash) == 0) { + memprintf(errmsg, "couldn't compute the DNS-01 challenge"); + goto error; + } - trash.data = acme_txt_record(ist(ctx->cfg->account.thumbprint), auth->token, &trash); send_log(NULL, LOG_NOTICE,"acme: %s: DNS-01 requires to set the \"_acme-challenge.%.*s\" TXT record to \"%.*s\" and use the \"acme challenge_ready\" command over the CLI\n", ctx->store->path, (int)auth->dns.len, auth->dns.ptr, (int)trash.data, trash.area);