Module Name: src
Committed By: drochner
Date: Thu Apr 19 20:20:57 UTC 2012
Modified Files:
src/crypto/external/bsd/openssl/dist/crypto: mem.c
src/crypto/external/bsd/openssl/dist/crypto/asn1: a_d2i_fp.c
src/crypto/external/bsd/openssl/dist/crypto/buffer: buffer.c
Log Message:
pull in upstream SVN rev. 22439:
check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean. (CVE-2012-2110)
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.2 -r1.2 \
src/crypto/external/bsd/openssl/dist/crypto/mem.c
cvs rdiff -u -r1.1.1.1 -r1.2 \
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c
cvs rdiff -u -r1.1.1.2 -r1.2 \
src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssl/dist/crypto/mem.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/mem.c:1.1.1.2 src/crypto/external/bsd/openssl/dist/crypto/mem.c:1.2
--- src/crypto/external/bsd/openssl/dist/crypto/mem.c:1.1.1.2 Sun Jun 5 14:57:20 2011
+++ src/crypto/external/bsd/openssl/dist/crypto/mem.c Thu Apr 19 20:20:57 2012
@@ -363,6 +363,10 @@ void *CRYPTO_realloc_clean(void *str, in
if (num <= 0) return NULL;
+ /* We don't support shrinking the buffer. Note the memcpy that copies
+ * |old_len| bytes to the new buffer, below. */
+ if (num < old_len) return NULL;
+
if (realloc_debug_func != NULL)
realloc_debug_func(str, NULL, num, file, line, 0);
ret=malloc_ex_func(num,file,line);
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.1.1.1 src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.2
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.1.1.1 Sun Jul 19 23:02:46 2009
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c Thu Apr 19 20:20:56 2012
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/asn1_mac.h>
@@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BU
BUF_MEM *b;
unsigned char *p;
int i;
- int ret=-1;
ASN1_const_CTX c;
- int want=HEADER_SIZE;
+ size_t want=HEADER_SIZE;
int eos=0;
-#if defined(__GNUC__) && defined(__ia64)
- /* pathetic compiler bug in all known versions as of Nov. 2002 */
- long off=0;
-#else
- int off=0;
-#endif
- int len=0;
+ size_t off=0;
+ size_t len=0;
b=BUF_MEM_new();
if (b == NULL)
@@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BU
{
want-=(len-off);
- if (!BUF_MEM_grow_clean(b,len+want))
+ if (len + want < len || !BUF_MEM_grow_clean(b,len+want))
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
goto err;
@@ -181,7 +176,14 @@ static int asn1_d2i_read_bio(BIO *in, BU
goto err;
}
if (i > 0)
+ {
+ if (len+i < len)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ goto err;
+ }
len+=i;
+ }
}
/* else data already loaded */
@@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BU
{
/* no data body so go round again */
eos++;
+ if (eos < 0)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG);
+ goto err;
+ }
want=HEADER_SIZE;
}
else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC))
@@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BU
else
{
/* suck in c.slen bytes of data */
- want=(int)c.slen;
+ want=c.slen;
if (want > (len-off))
{
want-=(len-off);
+ if (want > INT_MAX /* BIO_read takes an int length */ ||
+ len+want < len)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ goto err;
+ }
if (!BUF_MEM_grow_clean(b,len+want))
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
@@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BU
ASN1_R_NOT_ENOUGH_DATA);
goto err;
}
+ /* This can't overflow because
+ * |len+want| didn't overflow. */
len+=i;
- want -= i;
+ want-=i;
}
}
- off+=(int)c.slen;
+ if (off + c.slen < off)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ goto err;
+ }
+ off+=c.slen;
if (eos <= 0)
{
break;
@@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BU
}
}
+ if (off > INT_MAX)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ goto err;
+ }
+
*pb = b;
return off;
err:
if (b != NULL) BUF_MEM_free(b);
- return(ret);
+ return -1;
}
Index: src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.1.1.2 src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.2
--- src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.1.1.2 Sun Jun 5 14:58:09 2011
+++ src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c Thu Apr 19 20:20:57 2012
@@ -60,6 +60,11 @@
#include "cryptlib.h"
#include <openssl/buffer.h>
+/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
+ * function is applied in several functions in this file and this limit ensures
+ * that the result fits in an int. */
+#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
+
BUF_MEM *BUF_MEM_new(void)
{
BUF_MEM *ret;
@@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t le
str->length=len;
return(len);
}
+ /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+ if (len > LIMIT_BEFORE_EXPANSION)
+ {
+ BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
@@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, siz
str->length=len;
return(len);
}
+ /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+ if (len > LIMIT_BEFORE_EXPANSION)
+ {
+ BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
