diff options
| author | tedu <> | 2016-05-04 15:05:13 +0000 |
|---|---|---|
| committer | tedu <> | 2016-05-04 15:05:13 +0000 |
| commit | 133d75e6cf272462fba6e4eb561f949d0c12e01f (patch) | |
| tree | 61f82263a3f91407e4d8cbf798564a97aa9bdea3 | |
| parent | 00eab3af460c4af05c8b8506af1e1b44f19673d3 (diff) | |
| download | openbsd-133d75e6cf272462fba6e4eb561f949d0c12e01f.tar.gz openbsd-133d75e6cf272462fba6e4eb561f949d0c12e01f.tar.bz2 openbsd-133d75e6cf272462fba6e4eb561f949d0c12e01f.zip | |
fix for integer overflow in encode and encrypt update functions.
additionally, in EncodeUpdate, if the amount written would overflow,
return 0 instead to prevent bugs in the caller.
CVE-2016-2105 and CVE-2016-2106 from openssl.
| -rw-r--r-- | src/lib/libcrypto/evp/encode.c | 13 | ||||
| -rw-r--r-- | src/lib/libcrypto/evp/evp_enc.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/evp/encode.c | 13 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/evp/evp_enc.c | 4 |
4 files changed, 22 insertions, 12 deletions
diff --git a/src/lib/libcrypto/evp/encode.c b/src/lib/libcrypto/evp/encode.c index 637870cef6..1097a7c903 100644 --- a/src/lib/libcrypto/evp/encode.c +++ b/src/lib/libcrypto/evp/encode.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: encode.c,v 1.23 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: encode.c,v 1.24 2016/05/04 15:05:13 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -125,13 +125,13 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 125 | const unsigned char *in, int inl) | 125 | const unsigned char *in, int inl) |
| 126 | { | 126 | { |
| 127 | int i, j; | 127 | int i, j; |
| 128 | unsigned int total = 0; | 128 | size_t total = 0; |
| 129 | 129 | ||
| 130 | *outl = 0; | 130 | *outl = 0; |
| 131 | if (inl == 0) | 131 | if (inl == 0) |
| 132 | return; | 132 | return; |
| 133 | OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); | 133 | OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); |
| 134 | if ((ctx->num + inl) < ctx->length) { | 134 | if (ctx->length - ctx->num > inl) { |
| 135 | memcpy(&(ctx->enc_data[ctx->num]), in, inl); | 135 | memcpy(&(ctx->enc_data[ctx->num]), in, inl); |
| 136 | ctx->num += inl; | 136 | ctx->num += inl; |
| 137 | return; | 137 | return; |
| @@ -148,7 +148,7 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 148 | *out = '\0'; | 148 | *out = '\0'; |
| 149 | total = j + 1; | 149 | total = j + 1; |
| 150 | } | 150 | } |
| 151 | while (inl >= ctx->length) { | 151 | while (inl >= ctx->length && total <= INT_MAX) { |
| 152 | j = EVP_EncodeBlock(out, in, ctx->length); | 152 | j = EVP_EncodeBlock(out, in, ctx->length); |
| 153 | in += ctx->length; | 153 | in += ctx->length; |
| 154 | inl -= ctx->length; | 154 | inl -= ctx->length; |
| @@ -157,6 +157,11 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 157 | *out = '\0'; | 157 | *out = '\0'; |
| 158 | total += j + 1; | 158 | total += j + 1; |
| 159 | } | 159 | } |
| 160 | if (total > INT_MAX) { | ||
| 161 | /* Too much output data! */ | ||
| 162 | *outl = 0; | ||
| 163 | return; | ||
| 164 | } | ||
| 160 | if (inl != 0) | 165 | if (inl != 0) |
| 161 | memcpy(&(ctx->enc_data[0]), in, inl); | 166 | memcpy(&(ctx->enc_data[0]), in, inl); |
| 162 | ctx->num = inl; | 167 | ctx->num = inl; |
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c index a4e369f622..556908fd10 100644 --- a/src/lib/libcrypto/evp/evp_enc.c +++ b/src/lib/libcrypto/evp/evp_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: evp_enc.c,v 1.29 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -334,7 +334,7 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, | |||
| 334 | return 0; | 334 | return 0; |
| 335 | } | 335 | } |
| 336 | if (i != 0) { | 336 | if (i != 0) { |
| 337 | if (i + inl < bl) { | 337 | if (bl - i > inl) { |
| 338 | memcpy(&(ctx->buf[i]), in, inl); | 338 | memcpy(&(ctx->buf[i]), in, inl); |
| 339 | ctx->buf_len += inl; | 339 | ctx->buf_len += inl; |
| 340 | *outl = 0; | 340 | *outl = 0; |
diff --git a/src/lib/libssl/src/crypto/evp/encode.c b/src/lib/libssl/src/crypto/evp/encode.c index 637870cef6..1097a7c903 100644 --- a/src/lib/libssl/src/crypto/evp/encode.c +++ b/src/lib/libssl/src/crypto/evp/encode.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: encode.c,v 1.23 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: encode.c,v 1.24 2016/05/04 15:05:13 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -125,13 +125,13 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 125 | const unsigned char *in, int inl) | 125 | const unsigned char *in, int inl) |
| 126 | { | 126 | { |
| 127 | int i, j; | 127 | int i, j; |
| 128 | unsigned int total = 0; | 128 | size_t total = 0; |
| 129 | 129 | ||
| 130 | *outl = 0; | 130 | *outl = 0; |
| 131 | if (inl == 0) | 131 | if (inl == 0) |
| 132 | return; | 132 | return; |
| 133 | OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); | 133 | OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); |
| 134 | if ((ctx->num + inl) < ctx->length) { | 134 | if (ctx->length - ctx->num > inl) { |
| 135 | memcpy(&(ctx->enc_data[ctx->num]), in, inl); | 135 | memcpy(&(ctx->enc_data[ctx->num]), in, inl); |
| 136 | ctx->num += inl; | 136 | ctx->num += inl; |
| 137 | return; | 137 | return; |
| @@ -148,7 +148,7 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 148 | *out = '\0'; | 148 | *out = '\0'; |
| 149 | total = j + 1; | 149 | total = j + 1; |
| 150 | } | 150 | } |
| 151 | while (inl >= ctx->length) { | 151 | while (inl >= ctx->length && total <= INT_MAX) { |
| 152 | j = EVP_EncodeBlock(out, in, ctx->length); | 152 | j = EVP_EncodeBlock(out, in, ctx->length); |
| 153 | in += ctx->length; | 153 | in += ctx->length; |
| 154 | inl -= ctx->length; | 154 | inl -= ctx->length; |
| @@ -157,6 +157,11 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, | |||
| 157 | *out = '\0'; | 157 | *out = '\0'; |
| 158 | total += j + 1; | 158 | total += j + 1; |
| 159 | } | 159 | } |
| 160 | if (total > INT_MAX) { | ||
| 161 | /* Too much output data! */ | ||
| 162 | *outl = 0; | ||
| 163 | return; | ||
| 164 | } | ||
| 160 | if (inl != 0) | 165 | if (inl != 0) |
| 161 | memcpy(&(ctx->enc_data[0]), in, inl); | 166 | memcpy(&(ctx->enc_data[0]), in, inl); |
| 162 | ctx->num = inl; | 167 | ctx->num = inl; |
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c index a4e369f622..556908fd10 100644 --- a/src/lib/libssl/src/crypto/evp/evp_enc.c +++ b/src/lib/libssl/src/crypto/evp/evp_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: evp_enc.c,v 1.29 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: evp_enc.c,v 1.30 2016/05/04 15:05:13 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -334,7 +334,7 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, | |||
| 334 | return 0; | 334 | return 0; |
| 335 | } | 335 | } |
| 336 | if (i != 0) { | 336 | if (i != 0) { |
| 337 | if (i + inl < bl) { | 337 | if (bl - i > inl) { |
| 338 | memcpy(&(ctx->buf[i]), in, inl); | 338 | memcpy(&(ctx->buf[i]), in, inl); |
| 339 | ctx->buf_len += inl; | 339 | ctx->buf_len += inl; |
| 340 | *outl = 0; | 340 | *outl = 0; |