Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
openssl.4105
0001-Fix-buffer-overrun-in-ASN1_parse.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Fix-buffer-overrun-in-ASN1_parse.patch of Package openssl.4105
From 697283ba418b21c4c0682d7050264b492e2ea4e2 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni <openssl-users@dukhovni.org> Date: Tue, 19 Apr 2016 22:23:24 -0400 Subject: [PATCH] Fix buffer overrun in ASN1_parse(). Backport of commits: 79c7f74d6cefd5d32fa20e69195ad3de834ce065 bdcd660e33710079b495cf5cc6a1aaa5d2dcd317 from master. Reviewed-by: Matt Caswell <matt@openssl.org> --- crypto/asn1/asn1_lib.c | 18 +++++++----------- crypto/asn1/asn1_par.c | 17 +++++++++++++---- 2 files changed, 20 insertions(+), 15 deletions(-) Index: openssl-1.0.1i/crypto/asn1/asn1_lib.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/asn1_lib.c 2016-04-28 17:19:12.524562985 +0200 +++ openssl-1.0.1i/crypto/asn1/asn1_lib.c 2016-04-28 17:22:25.536752503 +0200 @@ -62,7 +62,7 @@ #include <openssl/asn1.h> #include <openssl/asn1_mac.h> -static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max); +static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,long max); static void asn1_put_length(unsigned char **pp, int length); const char ASN1_version[]="ASN.1" OPENSSL_VERSION_PTEXT; @@ -129,7 +129,7 @@ int ASN1_get_object(const unsigned char } *ptag=tag; *pclass=xclass; - if (!asn1_get_length(&p,&inf,plength,(int)max)) goto err; + if (!asn1_get_length(&p,&inf,plength,max)) goto err; if (inf && !(ret & V_ASN1_CONSTRUCTED)) goto err; @@ -154,11 +154,11 @@ err: return(0x80); } -static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max) +static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, long max) { const unsigned char *p= *pp; unsigned long ret=0; - unsigned int i; + unsigned long i; if (max-- < 1) return(0); if (*p == 0x80) @@ -173,14 +173,12 @@ static int asn1_get_length(const unsigne i= *p&0x7f; if (*(p++) & 0x80) { - if (i > sizeof(long)) + if (i > sizeof(ret) || max < i) return 0; - if (max-- == 0) return(0); while (i-- > 0) { ret<<=8L; ret|= *(p++); - if (max-- == 0) return(0); } } else Index: openssl-1.0.1i/crypto/asn1/asn1_par.c =================================================================== --- openssl-1.0.1i.orig/crypto/asn1/asn1_par.c 2016-04-28 17:19:12.524562985 +0200 +++ openssl-1.0.1i/crypto/asn1/asn1_par.c 2016-04-28 17:27:44.140999764 +0200 @@ -165,6 +165,7 @@ static int asn1_parse2(BIO *bp, const un goto end; if (j & V_ASN1_CONSTRUCTED) { + const unsigned char *sp; ep=p+len; if (BIO_write(bp,"\n",1) <= 0) goto end; if (len > length) @@ -176,23 +177,33 @@ static int asn1_parse2(BIO *bp, const un } if ((j == 0x21) && (len == 0)) { + sp = p; for (;;) { r=asn1_parse2(bp,&p,(long)(tot-p), offset+(p - *pp),depth+1, indent,dump); if (r == 0) { ret=0; goto end; } - if ((r == 2) || (p >= tot)) break; + if ((r == 2) || (p >= tot)) + { + len = p - sp; + break; + } } } else + { + long tmp = len; while (p < ep) { - r=asn1_parse2(bp,&p,(long)len, + sp = p; + r=asn1_parse2(bp,&p,tmp, offset+(p - *pp),depth+1, indent,dump); if (r == 0) { ret=0; goto end; } + tmp -= p - sp; } + } } else if (xclass != 0) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor