Commit cc598f32 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson Committed by Matt Caswell
Browse files

Fix leak with ASN.1 combine. 



When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent fb4f4676

crypto/asn1/tasn_dec.c

+5 −2
Original line number Diff line number Diff line
@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 
    int otag;

    int ret = 0;

    ASN1_VALUE **pchptr, *ptmpval;

    int combine = aclass & ASN1_TFLG_COMBINE;

    aclass &= ~ASN1_TFLG_COMBINE;

    if (!pval)

        return 0;

    if (aux && aux->asn1_cb)
@@ -500,6 +502,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, 
 auxerr:

    ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);

 err:

    if (combine == 0)

        ASN1_item_ex_free(pval, it);

    if (errtt)

        ERR_add_error_data(4, "Field=", errtt->field_name,
@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, 
    } else {

        /* Nothing special */

        ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),

                               -1, 0, opt, ctx);

                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);

        if (!ret) {

            ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);

            goto err;