1From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 9 May 2022 10:07:15 +0200 4Subject: [PATCH] nss: return error if seemingly stuck in a cert loop 5 6CVE-2022-27781 7 8Reported-by: Florian Kohnhäuser 9Bug: https://curl.se/docs/CVE-2022-27781.html 10Closes #8822 11 12Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] 13Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 14--- 15 lib/vtls/nss.c | 8 ++++++++ 16 1 file changed, 8 insertions(+) 17 18diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c 19index 558e3be..52f2060 100644 20--- a/lib/vtls/nss.c 21+++ b/lib/vtls/nss.c 22@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, 23 PR_Free(common_name); 24 } 25 26+/* A number of certs that will never occur in a real server handshake */ 27+#define TOO_MANY_CERTS 300 28+ 29 static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) 30 { 31 CURLcode result = CURLE_OK; 32@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) 33 cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); 34 while(cert2) { 35 i++; 36+ if(i >= TOO_MANY_CERTS) { 37+ CERT_DestroyCertificate(cert2); 38+ failf(data, "certificate loop"); 39+ return CURLE_SSL_CERTPROBLEM; 40+ } 41 if(cert2->isRoot) { 42 CERT_DestroyCertificate(cert2); 43 break; 44