From c6985e683db078656f9f4ec499be1ef35bdce285 Mon Sep 17 00:00:00 2001
From: guenther <>
Date: Fri, 8 Aug 2014 04:53:43 +0000
Subject: Fix CVE-2014-3508, pretty printing and OID validation:  - make sure
 the output buffer is always NUL terminated if buf_len    was initially
 greater than zero.  - reject OIDs that are too long, too short, or not in
 proper base-127

Based on
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0042fb5fd1c9d257d713b15a1f45da05cf5c1c87

ok bcook@
---
 src/lib/libcrypto/objects/obj_dat.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src/lib/libcrypto/objects/obj_dat.c')

diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 071febba52..15c298e333 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_dat.c,v 1.30 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: obj_dat.c,v 1.31 2014/08/08 04:53:43 guenther Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -495,6 +495,10 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 	unsigned long l;
 	const unsigned char *p;
 
+	/* Ensure that, at every state, |buf| is NUL-terminated. */
+	if (buf_len > 0)
+		buf[0] = '\0';
+
 	if ((a == NULL) || (a->data == NULL))
 		goto err;
 
@@ -554,8 +558,9 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
 				i = (int)(l / 40);
 				l -= (long)(i * 40);
 			}
-			if (buf_len > 0) {
+			if (buf_len > 1) {
 				*buf++ = i + '0';
+				*buf = '\0';
 				buf_len--;
 			}
 			ret++;
-- 
cgit v1.2.3-55-g6feb