Commit e36f27dd authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Check for errors in BN_bn2dec() 



If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f)

Conflicts:
	crypto/bn/bn_print.c
parent d871284a

crypto/bn/bn_print.c

+8 −3
Original line number Diff line number Diff line
@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) 
    char *p;

    BIGNUM *t = NULL;

    BN_ULONG *bn_data = NULL, *lp;

    int bn_data_num;



    /*-

     * get an upper bound for the length of the decimal integer
@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) 
     */

    i = BN_num_bits(a) * 3;

    num = (i / 10 + i / 1000 + 1) + 1;

    bn_data =

        (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));

    buf = (char *)OPENSSL_malloc(num + 3);

    bn_data_num = num / BN_DEC_NUM + 1;

    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));

    buf = OPENSSL_malloc(num + 3);

    if ((buf == NULL) || (bn_data == NULL)) {

        BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);

        goto err;
@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) 
        i = 0;

        while (!BN_is_zero(t)) {

            *lp = BN_div_word(t, BN_DEC_CONV);

            if (*lp == (BN_ULONG)-1)

                goto err;

            lp++;

            if (lp - bn_data >= bn_data_num)

                goto err;

        }

        lp--;

        /*