Commit bdcd660e authored Apr 13, 2016 by Viktor Dukhovni

Bugfix: in asn1parse avoid erroneous len after a sub-sequence

Introduced in:

    commit 79c7f74d
    Author: Ben Laurie <ben@links.org>
    Date:   Tue Mar 29 19:37:57 2016 +0100

    Fix buffer overrun in ASN1_parse().

Problem input:

    https://tools.ietf.org/html/draft-ietf-curdle-pkix-eddsa-00#section-8.1


    -----BEGIN PUBLIC KEY-----
    MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
    -----END PUBLIC KEY-----

Previously:

        0:d=0  hl=2 l=  45 cons: SEQUENCE
        2:d=1  hl=2 l=   8 cons: SEQUENCE
        4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
        9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
    Error in encoding
    140735164989440:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../openssl/crypto/asn1/asn1_lib.c:148:

Now:

    0:d=0  hl=2 l=  45 cons: SEQUENCE
    2:d=1  hl=2 l=   8 cons: SEQUENCE
    4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
    9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
   12:d=1  hl=2 l=  33 prim: BIT STRING
      0000 - 00 19 bf 44 09 69 84 cd-fe 85 41 ba c1 67 dc 3b   ...D.i....A..g.;
      0010 - 96 c8 50 86 aa 30 b6 b6-cb 0c 5c 38 ad 70 31 66   ..P..0....\8.p1f
      0020 - e1                                                .

Reviewed-by: Richard Levitte <levitte@openssl.org>

parent 5968d11a

crypto/asn1/asn1_par.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -189,18 +189,19 @@ static int asn1_parse2(BIO bp, const unsigned char *pp, long length,
		}
		}
		} else {
		long tmp = len;

		while (p < ep) {
		sp = p;
		r = asn1_parse2(bp, &p, len,
		r = asn1_parse2(bp, &p, tmp,
		offset + (p - *pp), depth + 1,
		indent, dump);
		if (r == 0) {
		ret = 0;
		goto end;
		}
		len -= p - sp;
		tmp -= p - sp;
		}
		len = length;
		}
		} else if (xclass != 0) {
		p += len;