Commit f5da52e3 authored Apr 15, 2016 by Dr. Stephen Henson Committed by Matt Caswell May 03, 2016

Fix ASN1_INTEGER handling.



Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.

Thanks to David Benjamin <davidben@google.com> for reporting this bug.

This was found using libFuzzer.

RT#4364 (part)CVE-2016-2108.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

parent 4159f311

crypto/asn1/a_type.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE a, const ASN1_TYPE b)
		result = 0; /* They do not have content. */
		break;
		case V_ASN1_INTEGER:
		case V_ASN1_NEG_INTEGER:
		case V_ASN1_ENUMERATED:
		case V_ASN1_NEG_ENUMERATED:
		case V_ASN1_BIT_STRING:
		case V_ASN1_OCTET_STRING:
		case V_ASN1_SEQUENCE:

crypto/asn1/tasn_dec.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE *pval, const unsigned char cont, int len,
		break;

		case V_ASN1_INTEGER:
		case V_ASN1_NEG_INTEGER:
		case V_ASN1_ENUMERATED:
		case V_ASN1_NEG_ENUMERATED:
		tint = (ASN1_INTEGER **)pval;
		if (!c2i_ASN1_INTEGER(tint, &cont, len))
		goto err;

crypto/asn1/tasn_enc.c

+0 −2

Original line number	Diff line number	Diff line
		@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE *pval, unsigned char cout, int *putype,
		break;

		case V_ASN1_INTEGER:
		case V_ASN1_NEG_INTEGER:
		case V_ASN1_ENUMERATED:
		case V_ASN1_NEG_ENUMERATED:
		/*
		* These are all have the same content format as ASN1_INTEGER
		*/