Commit c6a9f005 authored by Rich Salz's avatar Rich Salz
Browse files

Prevent OOB in SRP base64 code. 



Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)

(cherry picked from commit ecca1663)
parent c62ee125

crypto/srp/srp_vfy.c

+5 −2
Original line number Diff line number Diff line
@@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) 
    int i, j;

    int size;



    if (alen == 0 || alen > INT_MAX)

        return -1;



    while (*src && (*src == ' ' || *src == '\t' || *src == '\n'))

        ++src;

    size = strlen(src);

    if (alen > INT_MAX || size > (int)alen)

    if (size < 0 || size >= (int)alen)

        return -1;



    i = 0;
@@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) 
        if (--i < 0)

            break;

    }

    while (a[j] == 0 && j <= size)

    while (j <= size && a[j] == 0)

        ++j;

    i = 0;

    while (j <= size)