Re: rpki-client: limit number of RSC checklist entries?

Wed, 01 Jun 2022 00:10:08 -0700 

On Wed, Jun 01, 2022 at 08:44:43AM +0200, Theo Buehler wrote:
> When compared to manifest FileAndHash, the RSC code doesn't limit the
> size of the FileNameAndHash list. Should we do this for consistency?
> 
> The situation is of course not quite the same since we're in -f mode.
> However, we do impose limits on the sizes of other resources, so it
> looks like a missing check.

This is fine with me but lets get job@'s opinion since he is behind rsc
support.
 
> Index: extern.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> retrieving revision 1.140
> diff -u -p -r1.140 extern.h
> --- extern.h  31 May 2022 18:41:43 -0000      1.140
> +++ extern.h  31 May 2022 20:35:41 -0000
> @@ -700,6 +700,9 @@ int       mkpathat(int, const char *);
>  
>  /* Maximum acceptable file size */
>  #define MAX_FILE_SIZE                4000000
> +
> +/* Maximum number of FileNameAndHash entries per RSC checklist. */
> +#define MAX_CHECKLIST_ENTRIES        100000
>  
>  /* Maximum number of FileAndHash entries per manifest. */
>  #define MAX_MANIFEST_ENTRIES 100000
> Index: mft.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
> retrieving revision 1.69
> diff -u -p -r1.69 mft.c
> --- mft.c     31 May 2022 18:51:35 -0000      1.69
> +++ mft.c     1 Jun 2022 06:34:39 -0000
> @@ -323,7 +323,7 @@ mft_parse_econtent(const unsigned char *
>               goto out;
>       }
>  
> -     if (sk_FileAndHash_num(mft->fileList) > MAX_MANIFEST_ENTRIES) {
> +     if (sk_FileAndHash_num(mft->fileList) >= MAX_MANIFEST_ENTRIES) {
>               warnx("%s: %d exceeds manifest entry limit (%d)", p->fn,
>                   sk_FileAndHash_num(mft->fileList), MAX_MANIFEST_ENTRIES);
>               goto out;
> Index: rsc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 rsc.c
> --- rsc.c     31 May 2022 18:51:35 -0000      1.7
> +++ rsc.c     1 Jun 2022 06:36:15 -0000
> @@ -279,6 +279,12 @@ rsc_parse_checklist(struct parse *p, con
>               return 0;
>       }
>  
> +     if (sz >= MAX_CHECKLIST_ENTRIES) {
> +             warnx("%s: %zu exceeds checklist entry limit (%d)", p->fn, sz,
> +                 MAX_CHECKLIST_ENTRIES);
> +             return 0;
> +     }
> +
>       p->res->files = calloc(sz, sizeof(struct rscfile));
>       if (p->res->files == NULL)
>               err(1, NULL);
> 

-- 
:wq Claudio

Reply via email to