diff options
| author | miod <> | 2014-07-11 15:35:53 +0000 |
|---|---|---|
| committer | miod <> | 2014-07-11 15:35:53 +0000 |
| commit | 8c090a5fea97972d423ae8567b3355c106f1c3fc (patch) | |
| tree | 0ed14e6ca56f4424dd4baf6992212ae9cab192d6 /src | |
| parent | 29656fa80a131823d2354d1e12174d34ceb91019 (diff) | |
| download | openbsd-8c090a5fea97972d423ae8567b3355c106f1c3fc.tar.gz openbsd-8c090a5fea97972d423ae8567b3355c106f1c3fc.tar.bz2 openbsd-8c090a5fea97972d423ae8567b3355c106f1c3fc.zip | |
Missing bounds check in do_PVK_body(); OpenSSL RT #2277, from OpenSSL trunk,
but without a memory leak.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/pem/pvkfmt.c | 14 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/pem/pvkfmt.c | 14 |
2 files changed, 20 insertions, 8 deletions
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c index 55cfffa7bc..32fcc181f7 100644 --- a/src/lib/libcrypto/pem/pvkfmt.c +++ b/src/lib/libcrypto/pem/pvkfmt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */ | 1 | /* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2005. | 3 | * project 2005. |
| 4 | */ | 4 | */ |
| @@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 722 | const unsigned char *p = *in; | 722 | const unsigned char *p = *in; |
| 723 | unsigned int magic; | 723 | unsigned int magic; |
| 724 | unsigned char *enctmp = NULL, *q; | 724 | unsigned char *enctmp = NULL, *q; |
| 725 | |||
| 726 | EVP_CIPHER_CTX cctx; | 725 | EVP_CIPHER_CTX cctx; |
| 726 | |||
| 727 | EVP_CIPHER_CTX_init(&cctx); | 727 | EVP_CIPHER_CTX_init(&cctx); |
| 728 | if (saltlen) { | 728 | if (saltlen) { |
| 729 | char psbuf[PEM_BUFSIZE]; | 729 | char psbuf[PEM_BUFSIZE]; |
| 730 | unsigned char keybuf[20]; | 730 | unsigned char keybuf[20]; |
| 731 | int enctmplen, inlen; | 731 | int enctmplen, inlen; |
| 732 | |||
| 732 | if (cb) | 733 | if (cb) |
| 733 | inlen = cb(psbuf, PEM_BUFSIZE, 0, u); | 734 | inlen = cb(psbuf, PEM_BUFSIZE, 0, u); |
| 734 | else | 735 | else |
| @@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 742 | PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); | 743 | PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); |
| 743 | return NULL; | 744 | return NULL; |
| 744 | } | 745 | } |
| 745 | if (!derive_pvk_key(keybuf, p, saltlen, | 746 | if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, |
| 746 | (unsigned char *)psbuf, inlen)) { | 747 | inlen)) { |
| 747 | free(enctmp); | 748 | free(enctmp); |
| 748 | return NULL; | 749 | return NULL; |
| 749 | } | 750 | } |
| @@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 751 | /* Copy BLOBHEADER across, decrypt rest */ | 752 | /* Copy BLOBHEADER across, decrypt rest */ |
| 752 | memcpy(enctmp, p, 8); | 753 | memcpy(enctmp, p, 8); |
| 753 | p += 8; | 754 | p += 8; |
| 755 | if (keylen < 8) { | ||
| 756 | PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); | ||
| 757 | free(enctmp); | ||
| 758 | return NULL; | ||
| 759 | } | ||
| 754 | inlen = keylen - 8; | 760 | inlen = keylen - 8; |
| 755 | q = enctmp + 8; | 761 | q = enctmp + 8; |
| 756 | if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) | 762 | if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) |
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c index 55cfffa7bc..32fcc181f7 100644 --- a/src/lib/libssl/src/crypto/pem/pvkfmt.c +++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */ | 1 | /* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2005. | 3 | * project 2005. |
| 4 | */ | 4 | */ |
| @@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 722 | const unsigned char *p = *in; | 722 | const unsigned char *p = *in; |
| 723 | unsigned int magic; | 723 | unsigned int magic; |
| 724 | unsigned char *enctmp = NULL, *q; | 724 | unsigned char *enctmp = NULL, *q; |
| 725 | |||
| 726 | EVP_CIPHER_CTX cctx; | 725 | EVP_CIPHER_CTX cctx; |
| 726 | |||
| 727 | EVP_CIPHER_CTX_init(&cctx); | 727 | EVP_CIPHER_CTX_init(&cctx); |
| 728 | if (saltlen) { | 728 | if (saltlen) { |
| 729 | char psbuf[PEM_BUFSIZE]; | 729 | char psbuf[PEM_BUFSIZE]; |
| 730 | unsigned char keybuf[20]; | 730 | unsigned char keybuf[20]; |
| 731 | int enctmplen, inlen; | 731 | int enctmplen, inlen; |
| 732 | |||
| 732 | if (cb) | 733 | if (cb) |
| 733 | inlen = cb(psbuf, PEM_BUFSIZE, 0, u); | 734 | inlen = cb(psbuf, PEM_BUFSIZE, 0, u); |
| 734 | else | 735 | else |
| @@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 742 | PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); | 743 | PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); |
| 743 | return NULL; | 744 | return NULL; |
| 744 | } | 745 | } |
| 745 | if (!derive_pvk_key(keybuf, p, saltlen, | 746 | if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, |
| 746 | (unsigned char *)psbuf, inlen)) { | 747 | inlen)) { |
| 747 | free(enctmp); | 748 | free(enctmp); |
| 748 | return NULL; | 749 | return NULL; |
| 749 | } | 750 | } |
| @@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, | |||
| 751 | /* Copy BLOBHEADER across, decrypt rest */ | 752 | /* Copy BLOBHEADER across, decrypt rest */ |
| 752 | memcpy(enctmp, p, 8); | 753 | memcpy(enctmp, p, 8); |
| 753 | p += 8; | 754 | p += 8; |
| 755 | if (keylen < 8) { | ||
| 756 | PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); | ||
| 757 | free(enctmp); | ||
| 758 | return NULL; | ||
| 759 | } | ||
| 754 | inlen = keylen - 8; | 760 | inlen = keylen - 8; |
| 755 | q = enctmp + 8; | 761 | q = enctmp + 8; |
| 756 | if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) | 762 | if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) |