[openssl-commits] [openssl] master update

Andy Polyakov appro at openssl.org
Tue Sep 19 19:32:24 UTC 2017


The branch master has been updated
       via  6b1c8204b33aaedb7df7a009c241412839aaf950 (commit)
      from  d2ef6e4ecc517de9d3d7f71180a6855f1f4d3243 (commit)


- Log -----------------------------------------------------------------
commit 6b1c8204b33aaedb7df7a009c241412839aaf950
Author: David Benjamin <davidben at google.com>
Date:   Mon Sep 18 15:58:41 2017 -0400

    Fix overflow in c2i_ASN1_BIT_STRING.
    
    c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
    bounds before doing so. Previously, excessively large inputs to the
    function could write a single byte outside the target buffer. (This is
    unreachable as asn1_ex_c2i already uses int for the length.)
    
    Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4385)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_bitstr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 33be907..b2e0fb6 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1.h>
@@ -88,6 +89,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
         goto err;
     }
 
+    if (len > INT_MAX) {
+        i = ASN1_R_STRING_TOO_LONG;
+        goto err;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = ASN1_BIT_STRING_new()) == NULL)
             return (NULL);


More information about the openssl-commits mailing list