diff options
| author | tb <> | 2018-11-09 04:11:06 +0000 |
|---|---|---|
| committer | tb <> | 2018-11-09 04:11:06 +0000 |
| commit | 6ec09447f7a0941e12886b8d3c328d186de3813b (patch) | |
| tree | 056fe2e8145104fb3b1693ec3662f990a1756179 /src/lib | |
| parent | 849bf17f8ac09c0c0dfec2caaf9509f99053212d (diff) | |
| download | openbsd-6ec09447f7a0941e12886b8d3c328d186de3813b.tar.gz openbsd-6ec09447f7a0941e12886b8d3c328d186de3813b.tar.bz2 openbsd-6ec09447f7a0941e12886b8d3c328d186de3813b.zip | |
Fix a buffer overrun in asn1_parse2().
From Ben L bobsayshilol () live ! co ! uk
Similar fixes in BoringSSL and OpensSSL.
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/asn1/asn1_par.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/src/lib/libcrypto/asn1/asn1_par.c b/src/lib/libcrypto/asn1/asn1_par.c index 72326a9cc1..f4b39e81cd 100644 --- a/src/lib/libcrypto/asn1/asn1_par.c +++ b/src/lib/libcrypto/asn1/asn1_par.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: asn1_par.c,v 1.25 2015/09/30 19:01:14 jsing Exp $ */ | 1 | /* $OpenBSD: asn1_par.c,v 1.26 2018/11/09 04:11:06 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -177,12 +177,14 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, | |||
| 177 | ret = 0; | 177 | ret = 0; |
| 178 | goto end; | 178 | goto end; |
| 179 | } | 179 | } |
| 180 | if ((r == 2) || (p >= tot)) | 180 | if ((r == 2) || (p >= tot)) { |
| 181 | len = (long)(p - ep); | ||
| 181 | break; | 182 | break; |
| 183 | } | ||
| 182 | } | 184 | } |
| 183 | } else | 185 | } else { |
| 184 | while (p < ep) { | 186 | while (p < ep) { |
| 185 | r = asn1_parse2(bp, &p, (long)len, | 187 | r = asn1_parse2(bp, &p, (long)(ep - p), |
| 186 | offset + (p - *pp), depth + 1, | 188 | offset + (p - *pp), depth + 1, |
| 187 | indent, dump); | 189 | indent, dump); |
| 188 | if (r == 0) { | 190 | if (r == 0) { |
| @@ -190,6 +192,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, | |||
| 190 | goto end; | 192 | goto end; |
| 191 | } | 193 | } |
| 192 | } | 194 | } |
| 195 | } | ||
| 193 | } else if (xclass != 0) { | 196 | } else if (xclass != 0) { |
| 194 | p += len; | 197 | p += len; |
| 195 | if (BIO_write(bp, "\n", 1) <= 0) | 198 | if (BIO_write(bp, "\n", 1) <= 0) |