profile.c: Treat long macro names as error

Limiting the size and not returning an error leads to infinite recursion if the macro value is a macro name that is longer than the given limitation. Thank OSS-Fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68061
OpenSC · May 16, 2024 · e9dcfe9 · e9dcfe9
1 parent 0ba15ba
commit e9dcfe9
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/pkcs15init/profile.c b/src/pkcs15init/profile.c
@@ -2007,19 +2007,22 @@ is_macro_character(char c) {
  return 0;
 }
 
-static void
+static int
 get_inner_word(char *str, char word[WORD_SIZE]) {
  char *inner = NULL;
  size_t len = 0;
 
  inner = str;
+
  while (is_macro_character(*inner)) {
  inner++;
  len++;
  }
- len = len >= WORD_SIZE ? WORD_SIZE - 1 : len;
+ if (len >= WORD_SIZE)
+ return 1;
  memcpy(word, str, len);
  word[len] = '\0';
+ return 0;
 }
 
 /*
@@ -2044,7 +2047,8 @@ check_macro_reference_loop(const char *start_name, sc_macro_t *macro, sc_profile
  if (!(name = strchr(macro_value, '$')))
  continue;
  /* Extract the macro name from the string */
- get_inner_word(name + 1, word);
+ if (get_inner_word(name + 1, word))
+ return 1;
  /* Find whether name corresponds to some other macro */
  if (!(m = find_macro(profile, word)))
  continue;

diff --git a/src/tests/unittests/check_macro_reference_loop.c b/src/tests/unittests/check_macro_reference_loop.c
@@ -143,6 +143,23 @@ static void torture_macro_loop_indirect_nonprintable(void **state)
 }
 #endif /* 0 */
 
+/*
+ *A reproducer for https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=68061
+ */
+static void torture_macro_loop_long_name(void **state)
+{
+ scconf_list value1 = { .data = "$second" };
+ scconf_list value2 = { .data = "$dtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCBBBBe" };
+ scconf_list value3 = { .data = "$second" };
+ sc_macro_t macro3 = { .name = "dtBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCBBBBe", .value = &value3 };
+ sc_macro_t macro2 = { .name = "second", .value = &value2, .next = &macro3 };
+ sc_macro_t macro1 = { .name = "first", .value = &value1, .next = &macro2 };
+ sc_profile_t profile = { .macro_list = &macro1 };
+
+ int r = check_macro_reference_loop("first", &macro1, &profile, 10);
+ assert_int_equal(r, 1);
+}
+
 int main(void)
 {
  const struct CMUnitTest tests[] = {
@@ -154,6 +171,7 @@ int main(void)
  cmocka_unit_test(torture_macro_loop_inner_string),
  cmocka_unit_test(torture_macro_loop_indirect),
  cmocka_unit_test(torture_macro_loop_indirect_multivalue),
+ cmocka_unit_test(torture_macro_loop_long_name),
  };
  return cmocka_run_group_tests(tests, NULL, NULL);
 }