Check for errors in BN_bn2dec() (e36f27dd) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Commit e36f27dd authored Aug 05, 2016 by

Dr. Stephen Henson

Check for errors in BN_bn2dec()



If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.

CVE-2016-2182

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 07bed46f)

Conflicts:
	crypto/bn/bn_print.c

parent d871284a

Hide whitespace changes

Inline Side-by-side

Please register or to comment