[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Tue Feb 27 17:40:03 UTC 2018
The branch OpenSSL_1_1_0-stable has been updated
via 5eb9a426d953b17c377b87315d0666c86126022f (commit)
from 4974a6f21b3e1aee969174fd20e2a68c36237e71 (commit)
- Log -----------------------------------------------------------------
commit 5eb9a426d953b17c377b87315d0666c86126022f
Author: Dr. Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
Date: Wed Feb 21 01:45:14 2018 +0100
bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data
Fixes #5405, #1381
The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes.
When processing input in PEM format it can happen in rare cases that
- the trailing PEM marker crosses the boundary of a chunk, and
- the beginning of the following chunk contains valid base64 encoded data.
This happened in issue #5405, where the PEM marker was split into
"-----END CER" and "TIFICATE-----" at the end of the first chunk.
The decoding of the first chunk terminated correctly at the '-' character,
which is treated as an EOF marker, and b64_read() returned. However,
when called the second time, b64_read() read the next chunk and interpreted
the string "TIFICATE" as valid base64 encoded data, adding 6 extra bytes
'4c 81 48 08 04 c4'.
This patch restores the assignment of the error code to 'ctx->cont', which
was deleted accidentally in commit 5562cfaca4f3 and which prevents b64_read()
from reading additional data on subsequent calls.
This issue was observed and reported by Annie Yousar.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5422)
-----------------------------------------------------------------------
Summary of changes:
crypto/evp/bio_b64.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c
index 41a10a7..05019fd 100644
--- a/crypto/evp/bio_b64.c
+++ b/crypto/evp/bio_b64.c
@@ -288,6 +288,14 @@ static int b64_read(BIO *b, char *out, int outl)
(unsigned char *)ctx->tmp, i);
ctx->tmp_len = 0;
}
+ /*
+ * If eof or an error was signalled, then the condition
+ * 'ctx->cont <= 0' will prevent b64_read() from reading
+ * more data on subsequent calls. This assignment was
+ * deleted accidentally in commit 5562cfaca4f3.
+ */
+ ctx->cont = i;
+
ctx->buf_off = 0;
if (i < 0) {
ret_code = 0;
More information about the openssl-commits
mailing list