Conversation
anhu
force-pushed
the
custom_oid_in_EKU
branch
from
188db55 to
98dd440
Compare
| if (unknownCb != NULL) { | ||
| word16 decOid[MAX_OID_SZ]; | ||
| word32 decOidSz = sizeof(decOid); | ||
| /* Skip past the tag and length to get raw OID bytes */ |
There was a problem hiding this comment.
@aisle-analyzer , does this comment make sense?
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Free Tier Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| #ifdef WC_ASN_UNKNOWN_EXT_CB | ||
| if (unknownCb != NULL) { | ||
| word16 decOid[MAX_OID_SZ]; | ||
| word32 decOidSz = sizeof(decOid); |
There was a problem hiding this comment.
Buffer size passed as bytes instead of elements
Medium Severity
decOidSz is initialized to sizeof(decOid) which yields the byte size (MAX_OID_SZ * sizeof(word16) = 64), but DecodeObjectId interprets *outSz as the number of elements in the array (documented as "On in, number of elements in array"). The decOid array only holds MAX_OID_SZ (32) elements. The bounds check inside DecodeObjectId (y >= (int)*outSz) would allow writing up to index 63, causing a stack buffer overflow for OIDs with more than ~31 dotted components. The correct value is MAX_OID_SZ or sizeof(decOid)/sizeof(decOid[0]). This follows a pre-existing pattern elsewhere in the file, but each new call site is a new exploitable path reachable via a crafted certificate.
Additional Locations (2)
1 participant
Note
Medium Risk
Touches X.509 EKU parsing, which can affect certificate acceptance/rejection paths; behavior remains unchanged unless
WC_ASN_UNKNOWN_EXT_CBis enabled and a callback is registered.Overview
Adds a new public API,
wc_SetUnknownExtKeyUsageCallback, allowing applications to decide whether unknown Extended Key Usage OIDs encountered during certificate parsing should be accepted or rejected.Wires this callback through
DecodedCertintoDecodeExtKeyUsage(signature extended), invoking it when EKU OIDs are unrecognized (including cases where the OID parses but doesn’t map to known EKU bits). Updates OpenSSL-compat codepaths to passNULLfor the new parameter and documents the new callback inasn_public.h.Written by Cursor Bugbot for commit 98dd440. This will update automatically on new commits. Configure here.