diff options
| author | David Benjamin <davidben@google.com> | 2017-09-18 21:58:41 +0200 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2017-09-19 21:31:30 +0200 |
| commit | 6b1c8204b33aaedb7df7a009c241412839aaf950 (patch) | |
| tree | 9b822badeb0715731bd89aea53efb6302a2a8798 /crypto/asn1/a_bitstr.c | |
| parent | Stack sorting safety (diff) | |
| download | openssl-6b1c8204b33aaedb7df7a009c241412839aaf950.tar.xz openssl-6b1c8204b33aaedb7df7a009c241412839aaf950.zip | |
Fix overflow in c2i_ASN1_BIT_STRING.
c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)
Diffstat (limited to 'crypto/asn1/a_bitstr.c')
| -rw-r--r-- | crypto/asn1/a_bitstr.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 33be907f9d..b2e0fb6882 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include <limits.h> #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/asn1.h> @@ -88,6 +89,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, goto err; } + if (len > INT_MAX) { + i = ASN1_R_STRING_TOO_LONG; + goto err; + } + if ((a == NULL) || ((*a) == NULL)) { if ((ret = ASN1_BIT_STRING_new()) == NULL) return (NULL); |