[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Mon Aug 15 23:20:11 UTC 2016
The branch master has been updated
via 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa (commit)
via 07bed46f332fce8c1d157689a2cdf915a982ae34 (commit)
from 40c60b0d7389aa479cf7474a080737e901944d0d (commit)
- Log -----------------------------------------------------------------
commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Aug 5 14:33:03 2016 +0100
Check for errors in a2d_ASN1_OBJECT()
Check for error return in BN_div_word().
Reviewed-by: Tim Hudson <tjh at openssl.org>
commit 07bed46f332fce8c1d157689a2cdf915a982ae34
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Aug 5 14:26:03 2016 +0100
Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Thanks to Shi Lei for reporting this bug.
CVE-2016-2182
Reviewed-by: Tim Hudson <tjh at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_object.c | 8 ++++++--
crypto/bn/bn_print.c | 8 +++++++-
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 6fc7681..79f0ecd 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -127,8 +127,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
if (tmp == NULL)
goto err;
}
- while (blsize--)
- tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+ while (blsize--) {
+ BN_ULONG t = BN_div_word(bl, 0x80L);
+ if (t == (BN_ULONG)-1)
+ goto err;
+ tmp[i++] = (unsigned char)t;
+ }
} else {
for (;;) {
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 8672c7e..f6030ff 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -62,6 +62,7 @@ char *BN_bn2dec(const BIGNUM *a)
char *p;
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
+ int bn_data_num;
/*-
* get an upper bound for the length of the decimal integer
@@ -71,7 +72,8 @@ char *BN_bn2dec(const BIGNUM *a)
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
- bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+ bn_data_num = num / BN_DEC_NUM + 1;
+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
buf = OPENSSL_malloc(num + 3);
if ((buf == NULL) || (bn_data == NULL)) {
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -93,7 +95,11 @@ char *BN_bn2dec(const BIGNUM *a)
i = 0;
while (!BN_is_zero(t)) {
*lp = BN_div_word(t, BN_DEC_CONV);
+ if (*lp == (BN_ULONG)-1)
+ goto err;
lp++;
+ if (lp - bn_data >= bn_data_num)
+ goto err;
}
lp--;
/*
More information about the openssl-commits
mailing list