Add a missing bounds check in c2i_ASN1_BIT_STRING().

This could potentially result in a left shift that exceeded the size of the storage type. Issue found by Simon Friedberger, Robert Merget and Juraj Somorovsky. ok inoguchi@ tb@
author: jsing <> 2018-05-12 17:39:05 +0000
committer: jsing <> 2018-05-12 17:39:05 +0000
commit: 54259dcc7646253fd0374f5fab91657dce17c42e (patch)
tree: 05e71edebb33bca40adbc313d73a5c26ca173ac9
parent: 966d6d817fb485a3696e14a84dd77ca88a9ba84a (diff)
download: openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.tar.gz
openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.tar.bz2
openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index 8a4a68dbb3..3800c218a1 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.25 2018/04/25 11:48:21 tb Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.26 2018/05/12 17:39:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -147,6 +147,11 @@ c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long len)
        p = *pp;
        i = *(p++);
+        if (i > 7) {
+                ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+                goto err;
+        }
        /* We do this to preserve the settings.  If we modify
         * the settings, via the _set_bit function, we will recalculate
         * on output */
author	jsing <>	2018-05-12 17:39:05 +0000
committer	jsing <>	2018-05-12 17:39:05 +0000
commit	54259dcc7646253fd0374f5fab91657dce17c42e (patch)
tree	05e71edebb33bca40adbc313d73a5c26ca173ac9
parent	966d6d817fb485a3696e14a84dd77ca88a9ba84a (diff)
download	openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.tar.gz openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.tar.bz2 openbsd-54259dcc7646253fd0374f5fab91657dce17c42e.zip