[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

Matt Caswell matt at openssl.org
Tue May 3 09:30:10 UTC 2016


The branch OpenSSL_1_0_2-stable has been updated
       via  9f2ccf1d718ab66c778a623f9aed3cddf17503a2 (commit)
      from  3ab937bc440371fbbe74318ce494ba95021f850a (commit)


- Log -----------------------------------------------------------------
commit 9f2ccf1d718ab66c778a623f9aed3cddf17503a2
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Apr 28 10:46:55 2016 +0100

    Prevent EBCDIC overread for very long strings
    
    ASN1 Strings that are over 1024 bytes can cause an overread in
    applications using the X509_NAME_oneline() function on EBCDIC systems.
    This could result in arbitrary stack data being returned in the buffer.
    
    Issue reported by Guido Vranken.
    
    CVE-2016-2176
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x509_obj.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c
index f7daac2..3de3ac7 100644
--- a/crypto/x509/x509_obj.c
+++ b/crypto/x509/x509_obj.c
@@ -130,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             type == V_ASN1_PRINTABLESTRING ||
             type == V_ASN1_TELETEXSTRING ||
             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-            ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
-                         ? sizeof ebcdic_buf : num);
+            if (num > (int)sizeof(ebcdic_buf))
+                num = sizeof(ebcdic_buf);
+            ascii2ebcdic(ebcdic_buf, q, num);
             q = ebcdic_buf;
         }
 #endif


More information about the openssl-commits mailing list