From f5edd4467e4f88d1ef7a7847590853e8b1de2c29 Mon Sep 17 00:00:00 2001
From: miod <>
Date: Fri, 11 Jul 2014 15:35:53 +0000
Subject: Missing bounds check in do_PVK_body(); OpenSSL RT #2277, from OpenSSL
 trunk, but without a memory leak.

---
 src/lib/libcrypto/pem/pvkfmt.c         | 14 ++++++++++----
 src/lib/libssl/src/crypto/pem/pvkfmt.c | 14 ++++++++++----
 2 files changed, 20 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 55cfffa7bc..32fcc181f7 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 	const unsigned char *p = *in;
 	unsigned int magic;
 	unsigned char *enctmp = NULL, *q;
-
 	EVP_CIPHER_CTX cctx;
+
 	EVP_CIPHER_CTX_init(&cctx);
 	if (saltlen) {
 		char psbuf[PEM_BUFSIZE];
 		unsigned char keybuf[20];
 		int enctmplen, inlen;
+
 		if (cb)
 			inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
 		else
@@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 			PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
-		if (!derive_pvk_key(keybuf, p, saltlen,
-			    (unsigned char *)psbuf, inlen)) {
+		if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf,
+		    inlen)) {
 			free(enctmp);
 			return NULL;
 		}
@@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 		/* Copy BLOBHEADER across, decrypt rest */
 		memcpy(enctmp, p, 8);
 		p += 8;
+		if (keylen < 8) {
+			PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
+			free(enctmp);
+			return NULL;
+		}
 		inlen = keylen - 8;
 		q = enctmp + 8;
 		if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c
index 55cfffa7bc..32fcc181f7 100644
--- a/src/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 	const unsigned char *p = *in;
 	unsigned int magic;
 	unsigned char *enctmp = NULL, *q;
-
 	EVP_CIPHER_CTX cctx;
+
 	EVP_CIPHER_CTX_init(&cctx);
 	if (saltlen) {
 		char psbuf[PEM_BUFSIZE];
 		unsigned char keybuf[20];
 		int enctmplen, inlen;
+
 		if (cb)
 			inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
 		else
@@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 			PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
-		if (!derive_pvk_key(keybuf, p, saltlen,
-			    (unsigned char *)psbuf, inlen)) {
+		if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf,
+		    inlen)) {
 			free(enctmp);
 			return NULL;
 		}
@@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 		/* Copy BLOBHEADER across, decrypt rest */
 		memcpy(enctmp, p, 8);
 		p += 8;
+		if (keylen < 8) {
+			PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
+			free(enctmp);
+			return NULL;
+		}
 		inlen = keylen - 8;
 		q = enctmp + 8;
 		if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))
-- 
cgit v1.2.3-55-g6feb