Commit d7f426bf authored by Tim Rühsen's avatar Tim Rühsen

Avoid excessive CPU usage with large inputs to idn2_lookup_u8()

The punycode encoding was done on any input sizes, the output length check
happended afterwards. Due to the O(N^2) nature of the encoding, this
lead to excessive CPU usage on large inputs.
This was unneeded because the result was IDN2_TOO_BIG_DOMAIN anyways.

It allowed a Denial-Of-Service (DOS) if the calling functions didn't
have their own length check. In fact we saw this as timeout issues
when fuzzing GnuTLS via OSS-Fuzz.

The affected functions are idn2_lookup_u8(), idn2_lookup_ul(),
idn2_to_ascii_4i, idn2_to_ascii_4i2(), idn2_to_ascii_4z(),
idn2_to_ascii_8z(), idn2_to_ascii_lz().

Also the tool 'idn2' is affected in lookup/toASCII mode.
parent 8a99ab64
......@@ -209,6 +209,14 @@ _tr46 (const uint8_t * domain_u8, uint8_t ** out, int flags)
}
}
/* Exit early if result is too long.
* This avoids excessive CPU usage in punycode encoding, which is O(N^2). */
if (len2 >= IDN2_DOMAIN_MAX_LENGTH)
{
free (domain_u32);
return IDN2_TOO_BIG_DOMAIN;
}
uint32_t *tmp = (uint32_t *) malloc ((len2 + 1) * sizeof (uint32_t));
if (!tmp)
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment