Avoid an out-of-bounds access in BN_rand()

If BN_rand() is called with top > 0 and bits == 1, it would allocate
a buf[] of size 1 and set the top bit of buf[1].

Found in OpenSSL commit efee575ad464bfb60bf72dcb73f9b51768f4b1a1 while
looking for something else.

ok beck djm inoguchi

1 files changed, 8 insertions, 3 deletions

diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index df798f41bc..4626960a0d 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.22 2018/11/06 06:49:45 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.23 2020/09/12 15:24:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -129,6 +129,11 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                 return (0);
         }
 
+        if (bits < 0 || (bits == 1 && top > 0)) {
+                BNerror(BN_R_BITS_TOO_SMALL);
+                return (0);
+        }
+
         if (bits == 0) {
                 BN_zero(rnd);
                 return (1);
@@ -166,8 +171,8 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         }
 #endif
 
-        if (top != -1) {
-                if (top) {
+        if (top >= 0) {
+                if (top > 0) {
                         if (bit == 0) {
                                 buf[0] = 1;
                                 buf[1] |= 0x80;