diff options
| author | tedu <> | 2016-05-04 14:58:09 +0000 |
|---|---|---|
| committer | tedu <> | 2016-05-04 14:58:09 +0000 |
| commit | a13a93d0f8c83fad01fac011cfe6cc1e76233021 (patch) | |
| tree | e9d3570998147139858e4f0640cbb8ec224121a8 /src | |
| parent | 4096055d9cd6edcc7dcc68642cda6f83563aa77a (diff) | |
| download | openbsd-a13a93d0f8c83fad01fac011cfe6cc1e76233021.tar.gz openbsd-a13a93d0f8c83fad01fac011cfe6cc1e76233021.tar.bz2 openbsd-a13a93d0f8c83fad01fac011cfe6cc1e76233021.zip | |
be careful about consuming excessive memory by reading in chunks.
CVE-2016-2109 from openssl.
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/a_d2i_fp.c | 51 | ||||
| -rw-r--r-- | src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | 51 |
2 files changed, 74 insertions, 28 deletions
diff --git a/src/lib/libcrypto/asn1/a_d2i_fp.c b/src/lib/libcrypto/asn1/a_d2i_fp.c index d85be56568..96416540c4 100644 --- a/src/lib/libcrypto/asn1/a_d2i_fp.c +++ b/src/lib/libcrypto/asn1/a_d2i_fp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_d2i_fp.c,v 1.13 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: a_d2i_fp.c,v 1.14 2016/05/04 14:58:09 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -144,6 +144,7 @@ ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x) | |||
| 144 | } | 144 | } |
| 145 | 145 | ||
| 146 | #define HEADER_SIZE 8 | 146 | #define HEADER_SIZE 8 |
| 147 | #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) | ||
| 147 | static int | 148 | static int |
| 148 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | 149 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) |
| 149 | { | 150 | { |
| @@ -167,18 +168,22 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 167 | if (want >= (len - off)) { | 168 | if (want >= (len - off)) { |
| 168 | want -= (len - off); | 169 | want -= (len - off); |
| 169 | 170 | ||
| 170 | if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) { | 171 | if (len + want < len || |
| 171 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 172 | !BUF_MEM_grow_clean(b, len + want)) { |
| 173 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 174 | ERR_R_MALLOC_FAILURE); | ||
| 172 | goto err; | 175 | goto err; |
| 173 | } | 176 | } |
| 174 | i = BIO_read(in, &(b->data[len]), want); | 177 | i = BIO_read(in, &(b->data[len]), want); |
| 175 | if ((i < 0) && ((len - off) == 0)) { | 178 | if ((i < 0) && ((len - off) == 0)) { |
| 176 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_NOT_ENOUGH_DATA); | 179 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 180 | ASN1_R_NOT_ENOUGH_DATA); | ||
| 177 | goto err; | 181 | goto err; |
| 178 | } | 182 | } |
| 179 | if (i > 0) { | 183 | if (i > 0) { |
| 180 | if (len + i < len) { | 184 | if (len + i < len) { |
| 181 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 185 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 186 | ASN1_R_TOO_LONG); | ||
| 182 | goto err; | 187 | goto err; |
| 183 | } | 188 | } |
| 184 | len += i; | 189 | len += i; |
| @@ -206,7 +211,8 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 206 | /* no data body so go round again */ | 211 | /* no data body so go round again */ |
| 207 | eos++; | 212 | eos++; |
| 208 | if (eos < 0) { | 213 | if (eos < 0) { |
| 209 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG); | 214 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 215 | ASN1_R_HEADER_TOO_LONG); | ||
| 210 | goto err; | 216 | goto err; |
| 211 | } | 217 | } |
| 212 | want = HEADER_SIZE; | 218 | want = HEADER_SIZE; |
| @@ -221,28 +227,45 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 221 | /* suck in c.slen bytes of data */ | 227 | /* suck in c.slen bytes of data */ |
| 222 | want = c.slen; | 228 | want = c.slen; |
| 223 | if (want > (len - off)) { | 229 | if (want > (len - off)) { |
| 230 | size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; | ||
| 231 | |||
| 224 | want -= (len - off); | 232 | want -= (len - off); |
| 225 | if (want > INT_MAX /* BIO_read takes an int length */ || | 233 | if (want > INT_MAX /* BIO_read takes an int length */ || |
| 226 | len+want < len) { | 234 | len+want < len) { |
| 227 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 235 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 236 | ASN1_R_TOO_LONG); | ||
| 228 | goto err; | 237 | goto err; |
| 229 | } | 238 | } |
| 230 | if (!BUF_MEM_grow_clean(b, len + want)) { | 239 | /* |
| 231 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 240 | * Read content in chunks of increasing size |
| 241 | * so we can return an error for EOF without | ||
| 242 | * having to allocate the entire content length | ||
| 243 | * in one go. | ||
| 244 | */ | ||
| 245 | size_t chunk = want > chunk_max ? chunk_max : want; | ||
| 246 | |||
| 247 | if (!BUF_MEM_grow_clean(b, len + chunk)) { | ||
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 249 | ERR_R_MALLOC_FAILURE); | ||
| 232 | goto err; | 250 | goto err; |
| 233 | } | 251 | } |
| 234 | while (want > 0) { | 252 | want -= chunk; |
| 235 | i = BIO_read(in, &(b->data[len]), want); | 253 | while (chunk > 0) { |
| 254 | i = BIO_read(in, &(b->data[len]), chunk); | ||
| 236 | if (i <= 0) { | 255 | if (i <= 0) { |
| 237 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | 256 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 238 | ASN1_R_NOT_ENOUGH_DATA); | 257 | ASN1_R_NOT_ENOUGH_DATA); |
| 239 | goto err; | 258 | goto err; |
| 240 | } | 259 | } |
| 241 | /* This can't overflow because | 260 | /* |
| 242 | * |len+want| didn't overflow. */ | 261 | * This can't overflow because |len+want| |
| 262 | * didn't overflow. | ||
| 263 | */ | ||
| 243 | len += i; | 264 | len += i; |
| 244 | want -= i; | 265 | chunk -= i; |
| 245 | } | 266 | } |
| 267 | if (chunk_max < INT_MAX/2) | ||
| 268 | chunk_max *= 2; | ||
| 246 | } | 269 | } |
| 247 | if (off + c.slen < off) { | 270 | if (off + c.slen < off) { |
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 271 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); |
diff --git a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c index d85be56568..96416540c4 100644 --- a/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c +++ b/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_d2i_fp.c,v 1.13 2016/05/04 14:53:29 tedu Exp $ */ | 1 | /* $OpenBSD: a_d2i_fp.c,v 1.14 2016/05/04 14:58:09 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -144,6 +144,7 @@ ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x) | |||
| 144 | } | 144 | } |
| 145 | 145 | ||
| 146 | #define HEADER_SIZE 8 | 146 | #define HEADER_SIZE 8 |
| 147 | #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) | ||
| 147 | static int | 148 | static int |
| 148 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | 149 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) |
| 149 | { | 150 | { |
| @@ -167,18 +168,22 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 167 | if (want >= (len - off)) { | 168 | if (want >= (len - off)) { |
| 168 | want -= (len - off); | 169 | want -= (len - off); |
| 169 | 170 | ||
| 170 | if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) { | 171 | if (len + want < len || |
| 171 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 172 | !BUF_MEM_grow_clean(b, len + want)) { |
| 173 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 174 | ERR_R_MALLOC_FAILURE); | ||
| 172 | goto err; | 175 | goto err; |
| 173 | } | 176 | } |
| 174 | i = BIO_read(in, &(b->data[len]), want); | 177 | i = BIO_read(in, &(b->data[len]), want); |
| 175 | if ((i < 0) && ((len - off) == 0)) { | 178 | if ((i < 0) && ((len - off) == 0)) { |
| 176 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_NOT_ENOUGH_DATA); | 179 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 180 | ASN1_R_NOT_ENOUGH_DATA); | ||
| 177 | goto err; | 181 | goto err; |
| 178 | } | 182 | } |
| 179 | if (i > 0) { | 183 | if (i > 0) { |
| 180 | if (len + i < len) { | 184 | if (len + i < len) { |
| 181 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 185 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 186 | ASN1_R_TOO_LONG); | ||
| 182 | goto err; | 187 | goto err; |
| 183 | } | 188 | } |
| 184 | len += i; | 189 | len += i; |
| @@ -206,7 +211,8 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 206 | /* no data body so go round again */ | 211 | /* no data body so go round again */ |
| 207 | eos++; | 212 | eos++; |
| 208 | if (eos < 0) { | 213 | if (eos < 0) { |
| 209 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG); | 214 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 215 | ASN1_R_HEADER_TOO_LONG); | ||
| 210 | goto err; | 216 | goto err; |
| 211 | } | 217 | } |
| 212 | want = HEADER_SIZE; | 218 | want = HEADER_SIZE; |
| @@ -221,28 +227,45 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 221 | /* suck in c.slen bytes of data */ | 227 | /* suck in c.slen bytes of data */ |
| 222 | want = c.slen; | 228 | want = c.slen; |
| 223 | if (want > (len - off)) { | 229 | if (want > (len - off)) { |
| 230 | size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; | ||
| 231 | |||
| 224 | want -= (len - off); | 232 | want -= (len - off); |
| 225 | if (want > INT_MAX /* BIO_read takes an int length */ || | 233 | if (want > INT_MAX /* BIO_read takes an int length */ || |
| 226 | len+want < len) { | 234 | len+want < len) { |
| 227 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 235 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 236 | ASN1_R_TOO_LONG); | ||
| 228 | goto err; | 237 | goto err; |
| 229 | } | 238 | } |
| 230 | if (!BUF_MEM_grow_clean(b, len + want)) { | 239 | /* |
| 231 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 240 | * Read content in chunks of increasing size |
| 241 | * so we can return an error for EOF without | ||
| 242 | * having to allocate the entire content length | ||
| 243 | * in one go. | ||
| 244 | */ | ||
| 245 | size_t chunk = want > chunk_max ? chunk_max : want; | ||
| 246 | |||
| 247 | if (!BUF_MEM_grow_clean(b, len + chunk)) { | ||
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 249 | ERR_R_MALLOC_FAILURE); | ||
| 232 | goto err; | 250 | goto err; |
| 233 | } | 251 | } |
| 234 | while (want > 0) { | 252 | want -= chunk; |
| 235 | i = BIO_read(in, &(b->data[len]), want); | 253 | while (chunk > 0) { |
| 254 | i = BIO_read(in, &(b->data[len]), chunk); | ||
| 236 | if (i <= 0) { | 255 | if (i <= 0) { |
| 237 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | 256 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 238 | ASN1_R_NOT_ENOUGH_DATA); | 257 | ASN1_R_NOT_ENOUGH_DATA); |
| 239 | goto err; | 258 | goto err; |
| 240 | } | 259 | } |
| 241 | /* This can't overflow because | 260 | /* |
| 242 | * |len+want| didn't overflow. */ | 261 | * This can't overflow because |len+want| |
| 262 | * didn't overflow. | ||
| 263 | */ | ||
| 243 | len += i; | 264 | len += i; |
| 244 | want -= i; | 265 | chunk -= i; |
| 245 | } | 266 | } |
| 267 | if (chunk_max < INT_MAX/2) | ||
| 268 | chunk_max *= 2; | ||
| 246 | } | 269 | } |
| 247 | if (off + c.slen < off) { | 270 | if (off + c.slen < off) { |
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 271 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); |