search

datatheorem / TrustKit

Easy SSL pinning validation and reporting for iOS, macOS, tvOS and watchOS.
MIT License
2.03k stars 364 forks source link

Crash in getPinningConfigurationKeyForDomain #210

Closed GevaZeichner closed 4 years ago

GevaZeichner commented 5 years ago

Hi,

A few of my users are getting NSRangeException. TrustKit 1.6.1

Fatal Exception: NSRangeException
*** -[__NSCFString substringToIndex:]: Index 18446744073709551615 out of bounds; string length 16

Fatal Exception: NSRangeException
0  CoreFoundation                 0x20ea1927c __exceptionPreprocess
1  libobjc.A.dylib                0x20dbf39f8 objc_exception_throw
2  CoreFoundation                 0x20e9234b0 -[NSCache init]
3  Foundation                     0x20f3733a4 -[NSString substringToIndex:]
4  TrustKit                       0x108af3628 getPinningConfigurationKeyForDomain + 39 (configuration_utils.m:39)
5  TrustKit                       0x108afa144 -[TSKPinningValidator evaluateTrust:forHostname:] + 99 (TSKPinningValidator.m:99)
6  TrustKit                       0x108afa6a8 -[TSKPinningValidator handleChallenge:completionHandler:] + 203 (TSKPinningValidator.m:203)
GevaZeichner commented 5 years ago

Hi @nabla-c0d3, I tried debugging this and it is not clear how this situation is possible. Looking on configuration_utils.m:39, in order for the crash to happen, it seems that [subdomain length] would need to be equal to domainRegistryLength. Any ideas? Should we just add another safeguard checking these values, or is there a better fix? Can it be related to the user's network, maybe they have weird redirects or something of that sort?

nabla-c0d3 commented 5 years ago

Hello - do you know for which domain this is happening? Or maybe a list of possible domains? Thanks!

GevaZeichner commented 5 years ago

Hi @nabla-c0d3! We don't know exactly, but I suspect it might be a subdomain of s3.amazonaws.com (length 16). Can you maybe track it through the reports the library sends?

nabla-c0d3 commented 4 years ago

Released as v1.7.0.