diff options
| author | bcook <> | 2016-05-29 19:18:56 +0000 |
|---|---|---|
| committer | bcook <> | 2016-05-29 19:18:56 +0000 |
| commit | 869ac3fe6b630443ce41714efa1fd1a873d21234 (patch) | |
| tree | 4b6701ee44c54c63936d3bcaae097a2a31f9d959 | |
| parent | b22f823601e3febfe38c972c9d3d5416f2169482 (diff) | |
| download | openbsd-869ac3fe6b630443ce41714efa1fd1a873d21234.tar.gz openbsd-869ac3fe6b630443ce41714efa1fd1a873d21234.tar.bz2 openbsd-869ac3fe6b630443ce41714efa1fd1a873d21234.zip | |
Fix a short-read bug in the previous version of asn1_d2i_read_bio
The outer while() loop is missing, so we only read up to chunk_max bytes.
ok tedu
| -rw-r--r-- | src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c index 26338732b6..17af61ba66 100644 --- a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c +++ b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_d2i_fp.c,v 1.11.2.1 2016/05/03 12:39:48 tedu Exp $ */ | 1 | /* $OpenBSD: a_d2i_fp.c,v 1.11.2.2 2016/05/29 19:18:56 bcook Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -236,36 +236,38 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 236 | ASN1_R_TOO_LONG); | 236 | ASN1_R_TOO_LONG); |
| 237 | goto err; | 237 | goto err; |
| 238 | } | 238 | } |
| 239 | /* | 239 | while (want > 0) { |
| 240 | * Read content in chunks of increasing size | 240 | /* |
| 241 | * so we can return an error for EOF without | 241 | * Read content in chunks of increasing size |
| 242 | * having to allocate the entire content length | 242 | * so we can return an error for EOF without |
| 243 | * in one go. | 243 | * having to allocate the entire content length |
| 244 | */ | 244 | * in one go. |
| 245 | size_t chunk = want > chunk_max ? chunk_max : want; | 245 | */ |
| 246 | size_t chunk = want > chunk_max ? chunk_max : want; | ||
| 246 | 247 | ||
| 247 | if (!BUF_MEM_grow_clean(b, len + chunk)) { | 248 | if (!BUF_MEM_grow_clean(b, len + chunk)) { |
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 249 | ERR_R_MALLOC_FAILURE); | ||
| 250 | goto err; | ||
| 251 | } | ||
| 252 | want -= chunk; | ||
| 253 | while (chunk > 0) { | ||
| 254 | i = BIO_read(in, &(b->data[len]), chunk); | ||
| 255 | if (i <= 0) { | ||
| 256 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | 249 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 257 | ASN1_R_NOT_ENOUGH_DATA); | 250 | ERR_R_MALLOC_FAILURE); |
| 258 | goto err; | 251 | goto err; |
| 259 | } | 252 | } |
| 260 | /* | 253 | want -= chunk; |
| 261 | * This can't overflow because |len+want| | 254 | while (chunk > 0) { |
| 262 | * didn't overflow. | 255 | i = BIO_read(in, &(b->data[len]), chunk); |
| 263 | */ | 256 | if (i <= 0) { |
| 264 | len += i; | 257 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 265 | chunk -= i; | 258 | ASN1_R_NOT_ENOUGH_DATA); |
| 259 | goto err; | ||
| 260 | } | ||
| 261 | /* | ||
| 262 | * This can't overflow because |len+want| | ||
| 263 | * didn't overflow. | ||
| 264 | */ | ||
| 265 | len += i; | ||
| 266 | chunk -= i; | ||
| 267 | } | ||
| 268 | if (chunk_max < INT_MAX/2) | ||
| 269 | chunk_max *= 2; | ||
| 266 | } | 270 | } |
| 267 | if (chunk_max < INT_MAX/2) | ||
| 268 | chunk_max *= 2; | ||
| 269 | } | 271 | } |
| 270 | if (off + c.slen < off) { | 272 | if (off + c.slen < off) { |
| 271 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 273 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); |