[openssl] OpenSSL_1_1_1-stable update
Dr. Paul Dale
pauli at openssl.org
Tue Apr 7 23:22:12 UTC 2020
The branch OpenSSL_1_1_1-stable has been updated
via 163897267fab6d29dff1a4bf8247f8e02e158be8 (commit)
from 43c242b0f687fc48c57ae3d721960db28e079ef6 (commit)
- Log -----------------------------------------------------------------
commit 163897267fab6d29dff1a4bf8247f8e02e158be8
Author: Pauli <paul.dale at oracle.com>
Date: Mon Apr 6 09:23:00 2020 +1000
Integer overflow in ASN1_STRING_set.
Addressing a potential integer overflow condition.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11473)
(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/asn1_lib.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index a7d32ae5e2..5cd0e16b52 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str)
return ret;
}
-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
+int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
{
unsigned char *c;
const char *data = _data;
+ size_t len;
- if (len < 0) {
+ if (len_in < 0) {
if (data == NULL)
return 0;
- else
- len = strlen(data);
+ len = strlen(data);
+ } else {
+ len = (size_t)len_in;
+ }
+ /*
+ * Verify that the length fits within an integer for assignment to
+ * str->length below. The additional 1 is subtracted to allow for the
+ * '\0' terminator even though this isn't strictly necessary.
+ */
+ if (len > INT_MAX - 1) {
+ ASN1err(0, ASN1_R_TOO_LARGE);
+ return 0;
}
- if ((str->length <= len) || (str->data == NULL)) {
+ if ((size_t)str->length <= len || str->data == NULL) {
c = str->data;
str->data = OPENSSL_realloc(c, len + 1);
if (str->data == NULL) {
More information about the openssl-commits
mailing list