Description
Running sscep version 0.10.0 with the enroll command causes a segmentation fault after the client receives and attempts to parse the PKCS#7 response from the server. The output ends with:
sscep: PKCS#7 payload size: 3748 bytes
Segmentation fault (core dumped)
The crash happens inside pkcs7_verify_unwrap() because the code does not check the return value of d2i_PKCS7_bio(). If the server returns an unexpected or malformed PKCS#7 message, this function returns NULL, which results in a segfault when dereferenced.
Steps to Reproduce
Build and run sscep version 0.10.0.
Execute:
sscep enroll -vv -u http://IP:Port/CustomSCEPServer/scep/server
-k my.key -r my.csr -l my_cert.pem -c ca.pem
The client crashes after “PKCS#7 payload size:” is printed.
Expected Behavior
The client should either parse the PKCS#7 correctly or exit with an error message, not crash.
Actual Behavior
A segmentation fault occurs because the return value of d2i_PKCS7_bio() is not verified.
Fix
Commit 3218c71 introduces checks for this function’s return value. The relevant code currently appears as:
408 if (v_flag)
409 printf("%s: PKCS#7 payload size: %d bytes\n", pname, len);
410 BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
411 s->reply_p7 = d2i_PKCS7_bio(memorybio, NULL);
412 if (!s->reply_p7) {
413 fprintf(stderr, "%s: Error in d2i_PKCS7_bio.\n", pname);
414 ERR_print_errors_fp(stderr);
415 exit (SCEP_PKISTATUS_P7);
416 }
536 /* Copy enveloped data into PKCS#7 */
537 s->reply_p7 = d2i_PKCS7_bio(outbio, NULL);
538 if (!s->reply_p7) {
539 fprintf(stderr, "%s: Error in d2i_PKCS7_bio.\n", pname);
540 ERR_print_errors_fp(stderr);
541 exit (SCEP_PKISTATUS_P7);
542 }
Updating to a revision that includes this patch (or applying the patch manually) prevents the crash and instead exits with a descriptive error if d2i_PKCS7_bio() fails.
Description
Running sscep version 0.10.0 with the enroll command causes a segmentation fault after the client receives and attempts to parse the PKCS#7 response from the server. The output ends with:
sscep: PKCS#7 payload size: 3748 bytes
Segmentation fault (core dumped)
The crash happens inside pkcs7_verify_unwrap() because the code does not check the return value of d2i_PKCS7_bio(). If the server returns an unexpected or malformed PKCS#7 message, this function returns NULL, which results in a segfault when dereferenced.
Steps to Reproduce
Build and run sscep version 0.10.0.
Execute:
sscep enroll -vv -u http://IP:Port/CustomSCEPServer/scep/server
-k my.key -r my.csr -l my_cert.pem -c ca.pem
The client crashes after “PKCS#7 payload size:” is printed.
Expected Behavior
The client should either parse the PKCS#7 correctly or exit with an error message, not crash.
Actual Behavior
A segmentation fault occurs because the return value of d2i_PKCS7_bio() is not verified.
Fix
Commit 3218c71 introduces checks for this function’s return value. The relevant code currently appears as:
408 if (v_flag)
409 printf("%s: PKCS#7 payload size: %d bytes\n", pname, len);
410 BIO_set_flags(memorybio, BIO_FLAGS_MEM_RDONLY);
411 s->reply_p7 = d2i_PKCS7_bio(memorybio, NULL);
412 if (!s->reply_p7) {
413 fprintf(stderr, "%s: Error in d2i_PKCS7_bio.\n", pname);
414 ERR_print_errors_fp(stderr);
415 exit (SCEP_PKISTATUS_P7);
416 }
536 /* Copy enveloped data into PKCS#7 */
537 s->reply_p7 = d2i_PKCS7_bio(outbio, NULL);
538 if (!s->reply_p7) {
539 fprintf(stderr, "%s: Error in d2i_PKCS7_bio.\n", pname);
540 ERR_print_errors_fp(stderr);
541 exit (SCEP_PKISTATUS_P7);
542 }
Updating to a revision that includes this patch (or applying the patch manually) prevents the crash and instead exits with a descriptive error if d2i_PKCS7_bio() fails.