From: Job Snijders Subject: rpki-client: limit the filename length in Manifest listings to something reasonable To: tech@openbsd.org Date: Wed, 13 May 2026 14:39:26 +0000 I think it is helpful to only consider CA material that can fit in USTAR archives and reject exogenous names. If 99 characters isn't enough, perhaps the CA should reconsider their filenaming scheme approach. I regret not having thought of a SIZE(5..99) contraint when the Manifest-bis RFC still was cooking as draft. Throughout the ecosystem, the average filename length seems to be somewhere between 31 and 56. The below patch causes only one (very young) CA to be rejected. rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: pulling from network rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: notification file not modified (335d178e-beb8-467d-8728-ba45540b34c9#4217) rpki-client: https://rrdp.twnic.tw/rrdp/notification.xml: loaded from network rpki-client: .rrdp/66379FACF9122B9638D45427079C9669F95B694FE6F5DAA7A69F835F3C4ABDC6/rpkica.twnic.tw/rpki/ASNET/0/9832A7E4CF45729EDCD3681D0146E1ED3A4A40C3.mft: FileAndHash contains overly long filename rpki-client: rpkica.twnic.tw/rpki/ASNET/0/9832A7E4CF45729EDCD3681D0146E1ED3A4A40C3.mft: no valid manifest available OK? Suggestions? Index: extern.h =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v diff -u -p -r1.279 extern.h --- extern.h 1 May 2026 11:22:24 -0000 1.279 +++ extern.h 13 May 2026 14:27:23 -0000 @@ -1056,6 +1056,9 @@ int mkpathat(int, const char *); /* Maximum number of FileAndHash entries per manifest. */ #define MAX_MANIFEST_ENTRIES 100000 +/* Maximum filename length in Manifest FileAndHash listings. */ +#define MAX_MANIFEST_FN_LENGTH 99 + /* Maximum number of Providers per ASPA object. */ #define MAX_ASPA_PROVIDERS 10000 Index: mft.c =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v diff -u -p -r1.137 mft.c --- mft.c 5 May 2026 09:33:15 -0000 1.137 +++ mft.c 13 May 2026 14:27:23 -0000 @@ -164,6 +164,11 @@ mft_parse_filehash(const char *fn, struc warnx("%s: RFC 9286 section 4.2.2: bad filename", fn); goto out; } + if (length > MAX_MANIFEST_FN_LENGTH) { + warnx("%s: FileAndHash contains overly long filename", fn); + goto out; + } + file = strndup(data, length); if (file == NULL) err(1, NULL);