Skip to content

fix out-of-bounds read in cupsSignCredentialsRequest#1640

Open
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:csr-ext-der-bounds
Open

fix out-of-bounds read in cupsSignCredentialsRequest#1640
aizu-m wants to merge 1 commit into
OpenPrinting:masterfrom
aizu-m:csr-ext-der-bounds

Conversation

@aizu-m

@aizu-m aizu-m commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

ASan, cups-x509 signing a hand-crafted CSR:

==ERROR: AddressSanitizer: heap-buffer-overflow, READ of size 200
    #1 cupsSignCredentialsRequest tls-openssl.c:1339
    #2 do_ca cups-x509.c:483
0 bytes after an 8-byte region allocated at tls-openssl.c:1218 (i2d)

The subjectAltName parser walks the DER TLV elements with j += data[j + 1] + 2
and only checks j < datalen. data[j + 1] is an attacker byte, so an element
whose declared length overruns the extension makes the memcpy read past the i2d
buffer. OpenSSL keeps the SAN value as an opaque octet string, so a CSR can carry
a SEQUENCE whose [2] element claims 200 bytes but supplies 2.

Same defect in the extKeyUsage loop above: for a truncated final element the
memcmp and data[j + 9] read off the end (ASan: READ of size 7 at :1243).

Both loops now bound the element header and value against datalen before reading.
A valid CSR still signs unchanged; the crafted ones are rejected cleanly. Reached
from any signing/CA path, e.g. cups-x509 ca -R.

@michaelrsweet michaelrsweet self-assigned this Jul 2, 2026
@michaelrsweet michaelrsweet added the investigating Investigating the issue label Jul 2, 2026
@michaelrsweet michaelrsweet added this to the v2.5 milestone Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

investigating Investigating the issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants