Commit 6b1c8204 authored Sep 18, 2017 by David Benjamin Committed by Andy Polyakov Sep 19, 2017

Fix overflow in c2i_ASN1_BIT_STRING.



c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

parent d2ef6e4e

crypto/asn1/a_bitstr.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -7,6 +7,7 @@
		* https://www.openssl.org/source/license.html
		*/

		#include <limits.h>
		#include <stdio.h>
		#include "internal/cryptlib.h"
		#include <openssl/asn1.h>
		@@ -88,6 +89,11 @@ ASN1_BIT_STRING c2i_ASN1_BIT_STRING(ASN1_BIT_STRING *a,
		goto err;
		}

		if (len > INT_MAX) {
		i = ASN1_R_STRING_TOO_LONG;
		goto err;
		}

		if ((a == NULL) \|\| ((*a) == NULL)) {
		if ((ret = ASN1_BIT_STRING_new()) == NULL)
		return (NULL);