Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing

length checks. Diff based on changes in OpenSSL. Fixes CVE-2015-1789. ok doug@
author: jsing <> 2015-06-11 15:58:53 +0000
committer: jsing <> 2015-06-11 15:58:53 +0000
commit: 652913e0fc47c01c7ce25e6f73435f2bf88f6a2e (patch)
tree: e702411b65c7ed69d4ba1fddca1224513878bf3b /src/lib/libc
parent: 095e36cd429c313ee8361e8877bc677116a2a2ce (diff)
download: openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.tar.gz
openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.tar.bz2
openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.zip
1 files changed, 27 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 442035625a..a20c755d7f 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.41 2015/04/11 16:03:21 deraadt Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.42 2015/06/11 15:58:53 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1644,35 +1644,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
                memcpy(p, str, 10);
                p += 10;
                str += 10;
+                i -= 10;
        } else {
                if (i < 13)
                        return 0;
                memcpy(p, str, 12);
                p += 12;
                str += 12;
+                i -= 12;
        }
+        if (i < 1)
+                return 0;
        if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
                *(p++) = '0';
                *(p++) = '0';
        } else {
+                if (i < 2)
+                        return 0;
                *(p++) = *(str++);
                *(p++) = *(str++);
+                i -= 2;
+                if (i < 1)
+                        return 0;
                /* Skip any fractional seconds... */
                if (*str == '.') {
                        str++;
-                        while ((*str >= '0') && (*str <= '9'))
+                        i--;
+                        while (i > 1 && (*str >= '0') && (*str <= '9')) {
                                str++;
+                                i--;
+                        }
                }
        }
        *(p++) = 'Z';
        *(p++) = '\0';
-        if (*str == 'Z')
+        if (i < 1)
+                return 0;
+        if (*str == 'Z') {
+                if (i != 1)
+                        return 0;
                offset = 0;
-        else {
+        } else {
+                if (i != 5)
+                        return 0;
                if ((*str != '+') && (*str != '-'))
                        return 0;
+                if (str[1] < '0' || str[1] > '9' ||
+                    str[2] < '0' || str[2] > '9' ||
+                    str[3] < '0' || str[3] > '9' ||
+                    str[4] < '0' || str[4] > '9')
+                        return 0;
                offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
                offset += (str[3] - '0') * 10 + (str[4] - '0');
                if (*str == '-')
author	jsing <>	2015-06-11 15:58:53 +0000
committer	jsing <>	2015-06-11 15:58:53 +0000
commit	652913e0fc47c01c7ce25e6f73435f2bf88f6a2e (patch)
tree	e702411b65c7ed69d4ba1fddca1224513878bf3b /src/lib/libc
parent	095e36cd429c313ee8361e8877bc677116a2a2ce (diff)
download	openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.tar.gz openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.tar.bz2 openbsd-652913e0fc47c01c7ce25e6f73435f2bf88f6a2e.zip