summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortedu <>2016-05-04 14:58:09 +0000
committertedu <>2016-05-04 14:58:09 +0000
commite205809b7a0b1df763f03b64d1cc28bfec3d8b71 (patch)
treee9d3570998147139858e4f0640cbb8ec224121a8 /src
parent519d297fc2fe7aa90db3d99be37ea38e11547106 (diff)
downloadopenbsd-e205809b7a0b1df763f03b64d1cc28bfec3d8b71.tar.gz
openbsd-e205809b7a0b1df763f03b64d1cc28bfec3d8b71.tar.bz2
openbsd-e205809b7a0b1df763f03b64d1cc28bfec3d8b71.zip
be careful about consuming excessive memory by reading in chunks.
CVE-2016-2109 from openssl.
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/asn1/a_d2i_fp.c51
-rw-r--r--src/lib/libssl/src/crypto/asn1/a_d2i_fp.c51
2 files changed, 74 insertions, 28 deletions
diff --git a/src/lib/libcrypto/asn1/a_d2i_fp.c b/src/lib/libcrypto/asn1/a_d2i_fp.c
index d85be56568..96416540c4 100644
--- a/src/lib/libcrypto/asn1/a_d2i_fp.c
+++ b/src/lib/libcrypto/asn1/a_d2i_fp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: a_d2i_fp.c,v 1.13 2016/05/04 14:53:29 tedu Exp $ */ 1/* $OpenBSD: a_d2i_fp.c,v 1.14 2016/05/04 14:58:09 tedu Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -144,6 +144,7 @@ ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
144} 144}
145 145
146#define HEADER_SIZE 8 146#define HEADER_SIZE 8
147#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
147static int 148static int
148asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) 149asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
149{ 150{
@@ -167,18 +168,22 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
167 if (want >= (len - off)) { 168 if (want >= (len - off)) {
168 want -= (len - off); 169 want -= (len - off);
169 170
170 if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) { 171 if (len + want < len ||
171 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); 172 !BUF_MEM_grow_clean(b, len + want)) {
173 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
174 ERR_R_MALLOC_FAILURE);
172 goto err; 175 goto err;
173 } 176 }
174 i = BIO_read(in, &(b->data[len]), want); 177 i = BIO_read(in, &(b->data[len]), want);
175 if ((i < 0) && ((len - off) == 0)) { 178 if ((i < 0) && ((len - off) == 0)) {
176 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_NOT_ENOUGH_DATA); 179 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
180 ASN1_R_NOT_ENOUGH_DATA);
177 goto err; 181 goto err;
178 } 182 }
179 if (i > 0) { 183 if (i > 0) {
180 if (len + i < len) { 184 if (len + i < len) {
181 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 185 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
186 ASN1_R_TOO_LONG);
182 goto err; 187 goto err;
183 } 188 }
184 len += i; 189 len += i;
@@ -206,7 +211,8 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
206 /* no data body so go round again */ 211 /* no data body so go round again */
207 eos++; 212 eos++;
208 if (eos < 0) { 213 if (eos < 0) {
209 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG); 214 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
215 ASN1_R_HEADER_TOO_LONG);
210 goto err; 216 goto err;
211 } 217 }
212 want = HEADER_SIZE; 218 want = HEADER_SIZE;
@@ -221,28 +227,45 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
221 /* suck in c.slen bytes of data */ 227 /* suck in c.slen bytes of data */
222 want = c.slen; 228 want = c.slen;
223 if (want > (len - off)) { 229 if (want > (len - off)) {
230 size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
231
224 want -= (len - off); 232 want -= (len - off);
225 if (want > INT_MAX /* BIO_read takes an int length */ || 233 if (want > INT_MAX /* BIO_read takes an int length */ ||
226 len+want < len) { 234 len+want < len) {
227 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 235 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
236 ASN1_R_TOO_LONG);
228 goto err; 237 goto err;
229 } 238 }
230 if (!BUF_MEM_grow_clean(b, len + want)) { 239 /*
231 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); 240 * Read content in chunks of increasing size
241 * so we can return an error for EOF without
242 * having to allocate the entire content length
243 * in one go.
244 */
245 size_t chunk = want > chunk_max ? chunk_max : want;
246
247 if (!BUF_MEM_grow_clean(b, len + chunk)) {
248 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
249 ERR_R_MALLOC_FAILURE);
232 goto err; 250 goto err;
233 } 251 }
234 while (want > 0) { 252 want -= chunk;
235 i = BIO_read(in, &(b->data[len]), want); 253 while (chunk > 0) {
254 i = BIO_read(in, &(b->data[len]), chunk);
236 if (i <= 0) { 255 if (i <= 0) {
237 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, 256 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
238 ASN1_R_NOT_ENOUGH_DATA); 257 ASN1_R_NOT_ENOUGH_DATA);
239 goto err; 258 goto err;
240 } 259 }
241 /* This can't overflow because 260 /*
242 * |len+want| didn't overflow. */ 261 * This can't overflow because |len+want|
262 * didn't overflow.
263 */
243 len += i; 264 len += i;
244 want -= i; 265 chunk -= i;
245 } 266 }
267 if (chunk_max < INT_MAX/2)
268 chunk_max *= 2;
246 } 269 }
247 if (off + c.slen < off) { 270 if (off + c.slen < off) {
248 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 271 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
diff --git a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
index d85be56568..96416540c4 100644
--- a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
+++ b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: a_d2i_fp.c,v 1.13 2016/05/04 14:53:29 tedu Exp $ */ 1/* $OpenBSD: a_d2i_fp.c,v 1.14 2016/05/04 14:58:09 tedu Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -144,6 +144,7 @@ ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
144} 144}
145 145
146#define HEADER_SIZE 8 146#define HEADER_SIZE 8
147#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
147static int 148static int
148asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) 149asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
149{ 150{
@@ -167,18 +168,22 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
167 if (want >= (len - off)) { 168 if (want >= (len - off)) {
168 want -= (len - off); 169 want -= (len - off);
169 170
170 if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) { 171 if (len + want < len ||
171 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); 172 !BUF_MEM_grow_clean(b, len + want)) {
173 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
174 ERR_R_MALLOC_FAILURE);
172 goto err; 175 goto err;
173 } 176 }
174 i = BIO_read(in, &(b->data[len]), want); 177 i = BIO_read(in, &(b->data[len]), want);
175 if ((i < 0) && ((len - off) == 0)) { 178 if ((i < 0) && ((len - off) == 0)) {
176 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_NOT_ENOUGH_DATA); 179 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
180 ASN1_R_NOT_ENOUGH_DATA);
177 goto err; 181 goto err;
178 } 182 }
179 if (i > 0) { 183 if (i > 0) {
180 if (len + i < len) { 184 if (len + i < len) {
181 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 185 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
186 ASN1_R_TOO_LONG);
182 goto err; 187 goto err;
183 } 188 }
184 len += i; 189 len += i;
@@ -206,7 +211,8 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
206 /* no data body so go round again */ 211 /* no data body so go round again */
207 eos++; 212 eos++;
208 if (eos < 0) { 213 if (eos < 0) {
209 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG); 214 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
215 ASN1_R_HEADER_TOO_LONG);
210 goto err; 216 goto err;
211 } 217 }
212 want = HEADER_SIZE; 218 want = HEADER_SIZE;
@@ -221,28 +227,45 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
221 /* suck in c.slen bytes of data */ 227 /* suck in c.slen bytes of data */
222 want = c.slen; 228 want = c.slen;
223 if (want > (len - off)) { 229 if (want > (len - off)) {
230 size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
231
224 want -= (len - off); 232 want -= (len - off);
225 if (want > INT_MAX /* BIO_read takes an int length */ || 233 if (want > INT_MAX /* BIO_read takes an int length */ ||
226 len+want < len) { 234 len+want < len) {
227 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 235 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
236 ASN1_R_TOO_LONG);
228 goto err; 237 goto err;
229 } 238 }
230 if (!BUF_MEM_grow_clean(b, len + want)) { 239 /*
231 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); 240 * Read content in chunks of increasing size
241 * so we can return an error for EOF without
242 * having to allocate the entire content length
243 * in one go.
244 */
245 size_t chunk = want > chunk_max ? chunk_max : want;
246
247 if (!BUF_MEM_grow_clean(b, len + chunk)) {
248 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
249 ERR_R_MALLOC_FAILURE);
232 goto err; 250 goto err;
233 } 251 }
234 while (want > 0) { 252 want -= chunk;
235 i = BIO_read(in, &(b->data[len]), want); 253 while (chunk > 0) {
254 i = BIO_read(in, &(b->data[len]), chunk);
236 if (i <= 0) { 255 if (i <= 0) {
237 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, 256 ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
238 ASN1_R_NOT_ENOUGH_DATA); 257 ASN1_R_NOT_ENOUGH_DATA);
239 goto err; 258 goto err;
240 } 259 }
241 /* This can't overflow because 260 /*
242 * |len+want| didn't overflow. */ 261 * This can't overflow because |len+want|
262 * didn't overflow.
263 */
243 len += i; 264 len += i;
244 want -= i; 265 chunk -= i;
245 } 266 }
267 if (chunk_max < INT_MAX/2)
268 chunk_max *= 2;
246 } 269 }
247 if (off + c.slen < off) { 270 if (off + c.slen < off) {
248 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); 271 ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 15:12:59 +0000