The branch OpenSSL_1_0_2-stable has been updated
via 859a42531acf2c3547711f642bcfd7fd52eb2338 (commit)
from 772fc32bab589f8e0d54eb9777e51819412d80e6 (commit)
- Log -----------------------------------------------------------------
commit 859a42531acf2c3547711f642bcfd7fd52eb2338
Author: David Benjamin <david...@google.com>
Date: Mon Sep 18 15:58:41 2017 -0400
Fix overflow in c2i_ASN1_BIT_STRING.
c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Andy Polyakov <ap...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)
(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_bitstr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index c429342..0c8bb14 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -56,6 +56,7 @@
* [including the GNU Public Licence.]
*/
+#include <limits.h>
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
@@ -136,6 +137,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
goto err;
}
+ if (len > INT_MAX) {
+ i = ASN1_R_STRING_TOO_LONG;
+ goto err;
+ }
+
if ((a == NULL) || ((*a) == NULL)) {
if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
return (NULL);
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
