1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
# HG changeset patch
# User John M. Schanck <jschanck@mozilla.com>
# Date 1633990165 0
# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
Bug 1735028 - check for missing signedData field r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D128112
Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
CVE: CVE-2022-22747
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
0x05, 0xa0, 0x02, 0x30, 0x00};
EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
reinterpret_cast<char*>(emptyCertPackage),
sizeof(emptyCertPackage)));
EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
}
+
+TEST_F(DecodeCertsTest, EmptySignedData) {
+ // This represents a PKCS#7 ContentInfo of contentType
+ // 1.2.840.113549.1.7.2 (signedData) with missing content.
+ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+ 0x02, 0x00, 0x00, 0x05, 0x00};
+
+ EXPECT_EQ(nullptr,
+ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
+ sizeof(emptySignedData)));
+ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
--- a/nss/lib/pkcs7/certread.c
+++ b/nss/lib/pkcs7/certread.c
@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
pkcs7Item) != SECSuccess) {
goto done;
}
if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
goto done;
}
+ if (contentInfo.content.signedData == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ goto done;
+ }
+
rv = SECSuccess;
certs = contentInfo.content.signedData->certificates;
if (certs) {
count = 0;
while (*certs) {
count++;
|