bound lengths coming out of a pem file to something like reality

ok deraadt@
author: beck <> 2016-03-02 05:02:35 +0000
committer: beck <> 2016-03-02 05:02:35 +0000
commit: 43ee3676b33314f3bcd9e058836959422b737ad4 (patch)
tree: 45e26235a5a1ac871e790f1c7fa3fb3f31a8414f /src
parent: 9c7b2fdb93f67e1e60d5da96626b8d20144a5931 (diff)
download: openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.tar.gz
openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.tar.bz2
openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.zip
2 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index f5a9de39fc..c3fd0e8d0a 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.14 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -681,6 +681,10 @@ do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic,
        is_encrypted = read_ledword(&p);
        *psaltlen = read_ledword(&p);
        *pkeylen = read_ledword(&p);
+        if (*psaltlen > 65536 || *pkeylen > 65536) {
+                PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+                return 0;
+        }
        if (is_encrypted && !*psaltlen) {
                PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
@@ -796,7 +800,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
 {
        unsigned char pvk_hdr[24], *buf = NULL;
        const unsigned char *p;
-        int buflen;
+        size_t buflen;
        EVP_PKEY *ret = NULL;
        unsigned int saltlen, keylen;
@@ -808,7 +812,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
        if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen))
                return 0;
-        buflen = (int) keylen + saltlen;
+        buflen = keylen + saltlen;
        buf = malloc(buflen);
        if (!buf) {
                PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c
index f5a9de39fc..c3fd0e8d0a 100644
--- a/src/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.14 2015/09/10 15:56:25 jsing Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -681,6 +681,10 @@ do_PVK_header(const unsigned char **in, unsigned int length, int skip_magic,
        is_encrypted = read_ledword(&p);
        *psaltlen = read_ledword(&p);
        *pkeylen = read_ledword(&p);
+        if (*psaltlen > 65536 || *pkeylen > 65536) {
+                PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);
+                return 0;
+        }
        if (is_encrypted && !*psaltlen) {
                PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
@@ -796,7 +800,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
 {
        unsigned char pvk_hdr[24], *buf = NULL;
        const unsigned char *p;
-        int buflen;
+        size_t buflen;
        EVP_PKEY *ret = NULL;
        unsigned int saltlen, keylen;
@@ -808,7 +812,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
        if (!do_PVK_header(&p, 24, 0, &saltlen, &keylen))
                return 0;
-        buflen = (int) keylen + saltlen;
+        buflen = keylen + saltlen;
        buf = malloc(buflen);
        if (!buf) {
                PEMerr(PEM_F_B2I_PVK_BIO, ERR_R_MALLOC_FAILURE);
author	beck <>	2016-03-02 05:02:35 +0000
committer	beck <>	2016-03-02 05:02:35 +0000
commit	43ee3676b33314f3bcd9e058836959422b737ad4 (patch)
tree	45e26235a5a1ac871e790f1c7fa3fb3f31a8414f /src
parent	9c7b2fdb93f67e1e60d5da96626b8d20144a5931 (diff)
download	openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.tar.gz openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.tar.bz2 openbsd-43ee3676b33314f3bcd9e058836959422b737ad4.zip