diff options
| author | Rich Salz <rsalz@openssl.org> | 2017-02-21 19:07:13 +0100 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2017-02-21 19:07:13 +0100 |
| commit | ecca16632a73bb80ee27cdec8a97f6def0a4714d (patch) | |
| tree | 3f53c183fdc8db0eea571813c5e207fdeeb3eecb /crypto/srp | |
| parent | Update client, server and x509 fuzz corpus (diff) | |
| download | openssl-ecca16632a73bb80ee27cdec8a97f6def0a4714d.tar.xz openssl-ecca16632a73bb80ee27cdec8a97f6def0a4714d.zip | |
Prevent OOB in SRP base64 code.
Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)
Diffstat (limited to 'crypto/srp')
| -rw-r--r-- | crypto/srp/srp_vfy.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 188fad27e1..29b7afcb04 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) int i, j; int size; + if (alen == 0 || alen > INT_MAX) + return -1; + while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) ++src; size = strlen(src); - if (alen > INT_MAX || size > (int)alen) + if (size < 0 || size >= (int)alen) return -1; i = 0; @@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) if (--i < 0) break; } - while (a[j] == 0 && j <= size) + while (j <= size && a[j] == 0) ++j; i = 0; while (j <= size) |