diff options
| author | tb <> | 2023-03-12 11:49:02 +0000 |
|---|---|---|
| committer | tb <> | 2023-03-12 11:49:02 +0000 |
| commit | b47b779f39c9bb247f8b61b2cf22ed2c7941ef56 (patch) | |
| tree | 1249037175234f9adee9132b9d5becc21fca3206 /src | |
| parent | e6d5f42388b2168766dd16c5b2092770c522dc7e (diff) | |
| download | openbsd-b47b779f39c9bb247f8b61b2cf22ed2c7941ef56.tar.gz openbsd-b47b779f39c9bb247f8b61b2cf22ed2c7941ef56.tar.bz2 openbsd-b47b779f39c9bb247f8b61b2cf22ed2c7941ef56.zip | |
Avoid an 1 byte out-of-bounds read in ASN1_PRINTABLE_type()
In case the input is not NUL terminated, the reversed check for length
and terminating NUL results in a one-byte overread. The documentation
says that the input should be a string, but in ASN.1 land you never
know...
Reported by Guido Vranken a while back
ok beck
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/asn1/a_print.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libcrypto/asn1/a_print.c b/src/lib/libcrypto/asn1/a_print.c index ddcee54c7d..979f5f4de0 100644 --- a/src/lib/libcrypto/asn1/a_print.c +++ b/src/lib/libcrypto/asn1/a_print.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_print.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */ | 1 | /* $OpenBSD: a_print.c,v 1.12 2023/03/12 11:49:02 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -72,7 +72,7 @@ ASN1_PRINTABLE_type(const unsigned char *s, int len) | |||
| 72 | if (s == NULL) | 72 | if (s == NULL) |
| 73 | return (V_ASN1_PRINTABLESTRING); | 73 | return (V_ASN1_PRINTABLESTRING); |
| 74 | 74 | ||
| 75 | while ((*s) && (len-- != 0)) { | 75 | while (len-- > 0 && *s != '\0') { |
| 76 | c= *(s++); | 76 | c= *(s++); |
| 77 | if (!(((c >= 'a') && (c <= 'z')) || | 77 | if (!(((c >= 'a') && (c <= 'z')) || |
| 78 | ((c >= 'A') && (c <= 'Z')) || | 78 | ((c >= 'A') && (c <= 'Z')) || |