summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2015-06-11 15:58:53 +0000
committerjsing <>2015-06-11 15:58:53 +0000
commitc9348abcdc881fc5e502b4a2f135e434081a5448 (patch)
treee702411b65c7ed69d4ba1fddca1224513878bf3b /src
parenta6990537f691ee9962f6bae09adc9de869ac239a (diff)
downloadopenbsd-c9348abcdc881fc5e502b4a2f135e434081a5448.tar.gz
openbsd-c9348abcdc881fc5e502b4a2f135e434081a5448.tar.bz2
openbsd-c9348abcdc881fc5e502b4a2f135e434081a5448.zip
Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing
length checks. Diff based on changes in OpenSSL. Fixes CVE-2015-1789. ok doug@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c31
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c31
2 files changed, 54 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 442035625a..a20c755d7f 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.41 2015/04/11 16:03:21 deraadt Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.42 2015/06/11 15:58:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1644,35 +1644,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1644 memcpy(p, str, 10); 1644 memcpy(p, str, 10);
1645 p += 10; 1645 p += 10;
1646 str += 10; 1646 str += 10;
1647 i -= 10;
1647 } else { 1648 } else {
1648 if (i < 13) 1649 if (i < 13)
1649 return 0; 1650 return 0;
1650 memcpy(p, str, 12); 1651 memcpy(p, str, 12);
1651 p += 12; 1652 p += 12;
1652 str += 12; 1653 str += 12;
1654 i -= 12;
1653 } 1655 }
1654 1656
1657 if (i < 1)
1658 return 0;
1655 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1659 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1656 *(p++) = '0'; 1660 *(p++) = '0';
1657 *(p++) = '0'; 1661 *(p++) = '0';
1658 } else { 1662 } else {
1663 if (i < 2)
1664 return 0;
1659 *(p++) = *(str++); 1665 *(p++) = *(str++);
1660 *(p++) = *(str++); 1666 *(p++) = *(str++);
1667 i -= 2;
1668 if (i < 1)
1669 return 0;
1661 /* Skip any fractional seconds... */ 1670 /* Skip any fractional seconds... */
1662 if (*str == '.') { 1671 if (*str == '.') {
1663 str++; 1672 str++;
1664 while ((*str >= '0') && (*str <= '9')) 1673 i--;
1674 while (i > 1 && (*str >= '0') && (*str <= '9')) {
1665 str++; 1675 str++;
1676 i--;
1677 }
1666 } 1678 }
1667 } 1679 }
1668 *(p++) = 'Z'; 1680 *(p++) = 'Z';
1669 *(p++) = '\0'; 1681 *(p++) = '\0';
1670 1682
1671 if (*str == 'Z') 1683 if (i < 1)
1684 return 0;
1685 if (*str == 'Z') {
1686 if (i != 1)
1687 return 0;
1672 offset = 0; 1688 offset = 0;
1673 else { 1689 } else {
1690 if (i != 5)
1691 return 0;
1674 if ((*str != '+') && (*str != '-')) 1692 if ((*str != '+') && (*str != '-'))
1675 return 0; 1693 return 0;
1694 if (str[1] < '0' || str[1] > '9' ||
1695 str[2] < '0' || str[2] > '9' ||
1696 str[3] < '0' || str[3] > '9' ||
1697 str[4] < '0' || str[4] > '9')
1698 return 0;
1676 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; 1699 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1677 offset += (str[3] - '0') * 10 + (str[4] - '0'); 1700 offset += (str[3] - '0') * 10 + (str[4] - '0');
1678 if (*str == '-') 1701 if (*str == '-')
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 442035625a..a20c755d7f 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.41 2015/04/11 16:03:21 deraadt Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.42 2015/06/11 15:58:53 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1644,35 +1644,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1644 memcpy(p, str, 10); 1644 memcpy(p, str, 10);
1645 p += 10; 1645 p += 10;
1646 str += 10; 1646 str += 10;
1647 i -= 10;
1647 } else { 1648 } else {
1648 if (i < 13) 1649 if (i < 13)
1649 return 0; 1650 return 0;
1650 memcpy(p, str, 12); 1651 memcpy(p, str, 12);
1651 p += 12; 1652 p += 12;
1652 str += 12; 1653 str += 12;
1654 i -= 12;
1653 } 1655 }
1654 1656
1657 if (i < 1)
1658 return 0;
1655 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1659 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1656 *(p++) = '0'; 1660 *(p++) = '0';
1657 *(p++) = '0'; 1661 *(p++) = '0';
1658 } else { 1662 } else {
1663 if (i < 2)
1664 return 0;
1659 *(p++) = *(str++); 1665 *(p++) = *(str++);
1660 *(p++) = *(str++); 1666 *(p++) = *(str++);
1667 i -= 2;
1668 if (i < 1)
1669 return 0;
1661 /* Skip any fractional seconds... */ 1670 /* Skip any fractional seconds... */
1662 if (*str == '.') { 1671 if (*str == '.') {
1663 str++; 1672 str++;
1664 while ((*str >= '0') && (*str <= '9')) 1673 i--;
1674 while (i > 1 && (*str >= '0') && (*str <= '9')) {
1665 str++; 1675 str++;
1676 i--;
1677 }
1666 } 1678 }
1667 } 1679 }
1668 *(p++) = 'Z'; 1680 *(p++) = 'Z';
1669 *(p++) = '\0'; 1681 *(p++) = '\0';
1670 1682
1671 if (*str == 'Z') 1683 if (i < 1)
1684 return 0;
1685 if (*str == 'Z') {
1686 if (i != 1)
1687 return 0;
1672 offset = 0; 1688 offset = 0;
1673 else { 1689 } else {
1690 if (i != 5)
1691 return 0;
1674 if ((*str != '+') && (*str != '-')) 1692 if ((*str != '+') && (*str != '-'))
1675 return 0; 1693 return 0;
1694 if (str[1] < '0' || str[1] > '9' ||
1695 str[2] < '0' || str[2] > '9' ||
1696 str[3] < '0' || str[3] > '9' ||
1697 str[4] < '0' || str[4] > '9')
1698 return 0;
1676 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; 1699 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1677 offset += (str[3] - '0') * 10 + (str[4] - '0'); 1700 offset += (str[3] - '0') * 10 + (str[4] - '0');
1678 if (*str == '-') 1701 if (*str == '-')
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 18:53:44 +0000