[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

[Dr. Stephen Henson]

The branch OpenSSL_1_0_1-stable has been updated
       via  17603dd994d6738c36ef7ab27e352aec9d6bd605 (commit)
      from  28a89639da50b1caed4ff3015508f23173bf3e49 (commit)


- Log -----------------------------------------------------------------
commit 17603dd994d6738c36ef7ab27e352aec9d6bd605
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Aug 15 16:52:21 2016 +0100

    Limit reads in do_b2i_bio()
    
    Apply a limit to the maximum blob length which can be read in do_d2i_bio()
    to avoid excessive allocation.
    
    Thanks to Shi Lei for reporting this.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (cherry picked from commit 66bcba145740e4f1210499ba6e5033035a2a4647)

-----------------------------------------------------------------------

Summary of changes:
 crypto/pem/pvkfmt.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 6186446..1ce5a1e 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -127,6 +127,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
 # define MS_KEYTYPE_KEYX         0x1
 # define MS_KEYTYPE_SIGN         0x2
 
+/* Maximum length of a blob after header */
+# define BLOB_MAX_LENGTH          102400
+
 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
 # define MS_PVKMAGIC             0xb0b5f11eL
 /* Salt length for PVK files */
@@ -272,6 +275,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
         return NULL;
 
     length = blob_length(bitlen, isdss, ispub);
+    if (length > BLOB_MAX_LENGTH) {
+        PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG);
+        return NULL;
+    }
     buf = OPENSSL_malloc(length);
     if (!buf) {
         PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);