Certtool core dump when parsing the file which has certificates more than 16.
Certtool core dump when use it to verify a PEM encoded certificate chain if more than 16 certificates.
Steps to Reproduce:
> # certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e
The stacks:
> Reading symbols from certtool...<br>
> Reading symbols from /usr/lib/debug//usr/bin/certtool-3.8.0-3.x86_64.debug...<br>
> [New LWP 113834]<br>
> [Thread debugging using libthread_db enabled]<br>
> Using host libthread_db library "/usr/lib64/libthread_db.so.1".<br>
> Core was generated by `certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e'.<br>
> Program terminated with signal SIGABRT, Aborted.<br>
> #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)<br>
> at pthread_kill.c:44<br>
> 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;<br>
> (gdb) bt<br>
> #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)<br>
> at pthread_kill.c:44<br>
> #1 0x00007fe0c54fdf53 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78<br>
> #2 0x00007fe0c54b1d56 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26<br>
> #3 0x00007fe0c549d197 in __GI_abort () at abort.c:79<br>
> #4 0x00007fe0c54f2037 in __libc_message (action=action@entry=do_abort, <br>
> fmt=fmt@entry=0x7fe0c562b5d9 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155<br>
> #5 0x00007fe0c558dd3a in __GI___fortify_fail (msg=msg@entry=0x7fe0c562b57f "buffer overflow detected")<br>
> at fortify_fail.c:26<br>
> #6 0x00007fe0c558c656 in __GI___chk_fail () at chk_fail.c:28<br>
> #7 0x00007fe0c5c5bebd in memcpy (__len=1160, __src=0x555bd8056110, __dest=0x7ffdcaec35a0)<br>
> at /usr/include/bits/string_fortified.h:29<br>
> #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, <br>
> data=data@entry=0x0, elements=elements@entry=0, flags=4, voutput=0x7ffdcaec3758, <br>
> func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475<br>
> #9 0x00007fe0c5c5cdc5 in gnutls_x509_trust_list_verify_crt (list=<optimized out>, cert_list=<optimized out>, <br>
> cert_list_size=<optimized out>, flags=<optimized out>, voutput=<optimized out>, func=<optimized out>)<br>
> at verify-high.c:1337<br>
> #10 0x0000555bd61b2dd5 in _verify_x509_mem (cert=0x7fe0c52bc010, cert_size=223196, cinfo=<optimized out>, <br>
> use_system_trust=<optimized out>, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2496<br>
> #11 0x0000555bd61b771f in verify_certificate (cinfo=<optimized out>) at certtool.c:2584<br>
> #12 cmd_parser (argc=<optimized out>, argv=<optimized out>) at certtool.c:1493<br>
> #13 0x0000555bd61b084a in main (argc=3, argv=0x7ffdcaec3b88) at certtool.c:131<br>
> (gdb) f 8<br>
> #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, <br>
> data=data@entry=0x0, elements=elements@entry=0, flags=4, voutput=0x7ffdcaec3758, <br>
> func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475<br>
> 1475 **memcpy(sorted, cert_list, cert_list_size** * sizeof(gnutls_x509_crt_t));<br>
> (gdb) p **cert_list_size**<br>
> $1 = **145**<br>
> (gdb) ptype **sorted**<br>
> type = struct gnutls_x509_crt_int {<br>
> asn1_node cert;<br>
> int use_extensions;<br>
> unsigned int expanded;<br>
> unsigned int modified;<br>
> unsigned int flags;<br>
> struct pin_info_st pin;<br>
> gnutls_datum_t raw_dn;<br>
> gnutls_datum_t raw_issuer_dn;<br>
> gnutls_datum_t raw_spki;<br>
> gnutls_datum_t der;<br>
> gnutls_subject_alt_names_t san;<br>
> gnutls_subject_alt_names_t ian;<br>
> gnutls_x509_dn_st dn;<br>
> gnutls_x509_dn_st idn;<br>
> } *[**16**]<br>
> (gdb) <br>
Missing the checking of cert_list_size for function gnutls_x509_trust_list_verify_crt2 in the commit x509: rework issuer callback .
Edited by Daiki Ueno