The branch master has been updated via ecca16632a73bb80ee27cdec8a97f6def0a4714d (commit) from 9dd4ac8cf17f2afd636e85ae0111d1df4104a475 (commit)
- Log ----------------------------------------------------------------- commit ecca16632a73bb80ee27cdec8a97f6def0a4714d Author: Rich Salz <rs...@openssl.org> Date: Tue Feb 21 13:07:13 2017 -0500 Prevent OOB in SRP base64 code. Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Rich Salz <rs...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2672) ----------------------------------------------------------------------- Summary of changes: crypto/srp/srp_vfy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 188fad2..29b7afc 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) int i, j; int size; + if (alen == 0 || alen > INT_MAX) + return -1; + while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) ++src; size = strlen(src); - if (alen > INT_MAX || size > (int)alen) + if (size < 0 || size >= (int)alen) return -1; i = 0; @@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) if (--i < 0) break; } - while (a[j] == 0 && j <= size) + while (j <= size && a[j] == 0) ++j; i = 0; while (j <= size) _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits