Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[openssl-commits] [openssl] OpenSSL_1_0_1-stable update
3 views
Skip to first unread message
Dr. Stephen Henson
Aug 2, 2016, 3:55:45 PM8/2/16
to
The branch OpenSSL_1_0_1-stable has been updated
via 7149c709a24802f044f15e6a8e47d3926a547c2d (commit)
via e3db6f1c43f59eefec2608cef1fb3ca47c81a58f (commit)
from 6adf409c7432b90c06d9890787fe56c48f2a16e7 (commit)
- Log -----------------------------------------------------------------
commit 7149c709a24802f044f15e6a8e47d3926a547c2d
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 00:30:47 2016 +0100
Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <lev...@openssl.org>
(cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)
commit e3db6f1c43f59eefec2608cef1fb3ca47c81a58f
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 00:45:31 2016 +0100
Check for overlows and error return from ASN1_object_size()
Reviewed-by: Richard Levitte <lev...@openssl.org>
(cherry picked from commit 56f9953c846204cb3251ab27605e403c7444fd72)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_object.c | 2 +-
crypto/asn1/asn1_lib.c | 28 ++++++++++++++++------------
crypto/asn1/tasn_enc.c | 25 ++++++++++++++++---------
3 files changed, 33 insertions(+), 22 deletions(-)
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 27f9c16..fba9f66 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -73,7 +73,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
return (0);
objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT);
- if (pp == NULL)
+ if (pp == NULL || objsize == -1)
return objsize;
p = *pp;
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 874b1af..8752654 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length)
int ASN1_object_size(int constructed, int length, int tag)
{
- int ret;
-
- ret = length;
- ret++;
+ int ret = 1;
+ if (length < 0)
+ return -1;
if (tag >= 31) {
while (tag > 0) {
tag >>= 7;
ret++;
}
}
- if (constructed == 2)
- return ret + 3;
- ret++;
- if (length > 127) {
- while (length > 0) {
- length >>= 8;
- ret++;
+ if (constructed == 2) {
+ ret += 3;
+ } else {
+ ret++;
+ if (length > 127) {
+ int tmplen = length;
+ while (tmplen > 0) {
+ tmplen >>= 8;
+ ret++;
+ }
}
}
- return (ret);
+ if (ret >= INT_MAX - length)
+ return -1;
+ return ret + length;
}
static int _asn1_Finish(ASN1_const_CTX *c)
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index f7f83e5..255b11e 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -216,17 +216,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt;
ASN1_VALUE **pseqval;
+ int tmplen;
seqtt = asn1_do_adb(pval, tt, 1);
if (!seqtt)
return 0;
pseqval = asn1_get_field_ptr(pval, seqtt);
- /* FIXME: check for errors in enhanced version */
- seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt,
- -1, aclass);
+ tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass);
+ if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen))
+ return -1;
+ seqcontlen += tmplen;
}
seqlen = ASN1_object_size(ndef, seqcontlen, tag);
- if (!out)
+ if (!out || seqlen == -1)
return seqlen;
/* Output SEQUENCE header */
ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
@@ -339,19 +341,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
/* Determine total length of items */
skcontlen = 0;
for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+ int tmplen;
skitem = sk_ASN1_VALUE_value(sk, i);
- skcontlen += ASN1_item_ex_i2d(&skitem, NULL,
- ASN1_ITEM_ptr(tt->item),
- -1, iclass);
+ tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item),
+ -1, iclass);
+ if (tmplen == -1 || (skcontlen > INT_MAX - tmplen))
+ return -1;
+ skcontlen += tmplen;
}
sklen = ASN1_object_size(ndef, skcontlen, sktag);
+ if (sklen == -1)
+ return -1;
/* If EXPLICIT need length of surrounding tag */
if (flags & ASN1_TFLG_EXPTAG)
ret = ASN1_object_size(ndef, sklen, ttag);
else
ret = sklen;
- if (!out)
+ if (!out || ret == -1)
return ret;
/* Now encode this lot... */
@@ -380,7 +387,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
return 0;
/* Find length of EXPLICIT tag */
ret = ASN1_object_size(ndef, i, ttag);
- if (out) {
+ if (out && ret != -1) {
/* Output tag and item */
ASN1_put_object(out, ndef, i, ttag, tclass);
ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass);
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
via 7149c709a24802f044f15e6a8e47d3926a547c2d (commit)
via e3db6f1c43f59eefec2608cef1fb3ca47c81a58f (commit)
from 6adf409c7432b90c06d9890787fe56c48f2a16e7 (commit)
- Log -----------------------------------------------------------------
commit 7149c709a24802f044f15e6a8e47d3926a547c2d
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 00:30:47 2016 +0100
Check for overflows in ASN1_object_size().
Reviewed-by: Richard Levitte <lev...@openssl.org>
(cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)
commit e3db6f1c43f59eefec2608cef1fb3ca47c81a58f
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 00:45:31 2016 +0100
Check for overlows and error return from ASN1_object_size()
Reviewed-by: Richard Levitte <lev...@openssl.org>
(cherry picked from commit 56f9953c846204cb3251ab27605e403c7444fd72)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_object.c | 2 +-
crypto/asn1/asn1_lib.c | 28 ++++++++++++++++------------
crypto/asn1/tasn_enc.c | 25 ++++++++++++++++---------
3 files changed, 33 insertions(+), 22 deletions(-)
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 27f9c16..fba9f66 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -73,7 +73,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
return (0);
objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT);
- if (pp == NULL)
+ if (pp == NULL || objsize == -1)
return objsize;
p = *pp;
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 874b1af..8752654 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -256,26 +256,30 @@ static void asn1_put_length(unsigned char **pp, int length)
int ASN1_object_size(int constructed, int length, int tag)
{
- int ret;
-
- ret = length;
- ret++;
+ int ret = 1;
+ if (length < 0)
+ return -1;
if (tag >= 31) {
while (tag > 0) {
tag >>= 7;
ret++;
}
}
- if (constructed == 2)
- return ret + 3;
- ret++;
- if (length > 127) {
- while (length > 0) {
- length >>= 8;
- ret++;
+ if (constructed == 2) {
+ ret += 3;
+ } else {
+ ret++;
+ if (length > 127) {
+ int tmplen = length;
+ while (tmplen > 0) {
+ tmplen >>= 8;
+ ret++;
+ }
}
}
- return (ret);
+ if (ret >= INT_MAX - length)
+ return -1;
+ return ret + length;
}
static int _asn1_Finish(ASN1_const_CTX *c)
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index f7f83e5..255b11e 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -216,17 +216,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {
const ASN1_TEMPLATE *seqtt;
ASN1_VALUE **pseqval;
+ int tmplen;
seqtt = asn1_do_adb(pval, tt, 1);
if (!seqtt)
return 0;
pseqval = asn1_get_field_ptr(pval, seqtt);
- /* FIXME: check for errors in enhanced version */
- seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt,
- -1, aclass);
+ tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass);
+ if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen))
+ return -1;
+ seqcontlen += tmplen;
}
seqlen = ASN1_object_size(ndef, seqcontlen, tag);
- if (!out)
+ if (!out || seqlen == -1)
return seqlen;
/* Output SEQUENCE header */
ASN1_put_object(out, ndef, seqcontlen, tag, aclass);
@@ -339,19 +341,24 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
/* Determine total length of items */
skcontlen = 0;
for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) {
+ int tmplen;
skitem = sk_ASN1_VALUE_value(sk, i);
- skcontlen += ASN1_item_ex_i2d(&skitem, NULL,
- ASN1_ITEM_ptr(tt->item),
- -1, iclass);
+ tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item),
+ -1, iclass);
+ if (tmplen == -1 || (skcontlen > INT_MAX - tmplen))
+ return -1;
+ skcontlen += tmplen;
}
sklen = ASN1_object_size(ndef, skcontlen, sktag);
+ if (sklen == -1)
+ return -1;
/* If EXPLICIT need length of surrounding tag */
if (flags & ASN1_TFLG_EXPTAG)
ret = ASN1_object_size(ndef, sklen, ttag);
else
ret = sklen;
- if (!out)
+ if (!out || ret == -1)
return ret;
/* Now encode this lot... */
@@ -380,7 +387,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
return 0;
/* Find length of EXPLICIT tag */
ret = ASN1_object_size(ndef, i, ttag);
- if (out) {
+ if (out && ret != -1) {
/* Output tag and item */
ASN1_put_object(out, ndef, i, ttag, tclass);
ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass);
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
Dr. Stephen Henson
Aug 2, 2016, 7:11:40 PM8/2/16
to
The branch OpenSSL_1_0_1-stable has been updated
via c648bdcc4cd8a7d1699081d339ff33deda69a3be (commit)
from 7149c709a24802f044f15e6a8e47d3926a547c2d (commit)
- Log -----------------------------------------------------------------
commit c648bdcc4cd8a7d1699081d339ff33deda69a3be
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 23:41:45 2016 +0100
include <limits.h>
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 134ab5139a8d41455a81d9fcc31b3edb8a4b2f5c)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/tasn_enc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 255b11e..081a9d5 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -59,6 +59,7 @@
#include <stddef.h>
#include <string.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
Dr. Stephen Henson
Aug 2, 2016, 9:39:44 PM8/2/16
to
The branch OpenSSL_1_0_1-stable has been updated
via 5db2a579b72b94aa0dacb08530768a1a5759237d (commit)from c648bdcc4cd8a7d1699081d339ff33deda69a3be (commit)
- Log -----------------------------------------------------------------
commit 5db2a579b72b94aa0dacb08530768a1a5759237d
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Tue Aug 2 23:53:41 2016 +0100
Calculate sequence length properly.
Use correct length in old ASN.1 indefinite length sequence decoder
(only used by SSL_SESSION).
This bug was discovered by Hanno Böck using libfuzzer.
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 436dead2e2a157fa501a7538a77b6078391b477f)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/asn1_lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index 8752654..80f5f2b 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -328,7 +328,7 @@ int asn1_GetSequence(ASN1_const_CTX *c, long *length)
return (0);
}
if (c->inf == (1 | V_ASN1_CONSTRUCTED))
- c->slen = *length + *(c->pp) - c->p;
+ c->slen = *length;
c->eos = 0;
return (1);
Dr. Stephen Henson
Aug 4, 2016, 12:44:52 PM8/4/16
to
The branch OpenSSL_1_0_1-stable has been updated
via 6592de7c8c090bbb7ec82bad07b3249153bb692f (commit)
from 5db2a579b72b94aa0dacb08530768a1a5759237d (commit)
- Log -----------------------------------------------------------------
commit 6592de7c8c090bbb7ec82bad07b3249153bb692f
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Thu Aug 4 13:54:51 2016 +0100
Check for overflows in i2d_ASN1_SET()
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit af601b83198771a4ad54ac0f415964b90aab4b5f)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_set.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c
index bf3f971..5fb5865 100644
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -57,6 +57,7 @@
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/asn1_mac.h>
@@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp,
if (a == NULL)
return (0);
- for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--)
+ for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) {
+ int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+ if (tmplen > INT_MAX - ret)
+ return -1;
ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL);
+ }
r = ASN1_object_size(1, ret, ex_tag);
- if (pp == NULL)
+ if (pp == NULL || r == -1)
return (r);
p = *pp;
Dr. Stephen Henson
Aug 4, 2016, 5:13:28 PM8/4/16
to
The branch OpenSSL_1_0_1-stable has been updated
via a199e0c39a21db79e44dc3c66f45726d1092983f (commit)
from 6592de7c8c090bbb7ec82bad07b3249153bb692f (commit)
- Log -----------------------------------------------------------------
commit a199e0c39a21db79e44dc3c66f45726d1092983f
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Thu Aug 4 15:00:26 2016 +0100
Limit recursion depth in old d2i_ASN1_bytes function
Thanks to Shi Lei for reporting this bug.
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 81f69e5b69b8e87ca5d7080ab643ebda7808542c)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_bytes.c | 58 ++++++++++++++++++++++++++++++++++++++-------------
1 file changed, 43 insertions(+), 15 deletions(-)
diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c
index 385b539..65e5394 100644
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -60,7 +60,12 @@
#include "cryptlib.h"
#include <openssl/asn1.h>
-static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c);
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c,
+ int depth);
+static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a,
+ const unsigned char **pp, long length,
+ int Ptag, int Pclass, int depth,
+ int *perr);
/*
* type is a 'bitmap' of acceptable string types.
*/
@@ -99,7 +104,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp,
ret = (*a);
if (len != 0) {
- s = (unsigned char *)OPENSSL_malloc((int)len + 1);
+ s = OPENSSL_malloc((int)len + 1);
if (s == NULL) {
i = ERR_R_MALLOC_FAILURE;
goto err;
@@ -154,15 +159,38 @@ int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass)
return (r);
}
+/*
+ * Maximum recursion depth of d2i_ASN1_bytes(): much more than should be
+ * encountered in pratice.
+ */
+
+#define ASN1_BYTES_MAXDEPTH 20
+
ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
long length, int Ptag, int Pclass)
{
+ int err = 0;
+ ASN1_STRING *s = int_d2i_ASN1_bytes(a, pp, length, Ptag, Pclass, 0, &err);
+ if (err != 0)
+ ASN1err(ASN1_F_D2I_ASN1_BYTES, err);
+ return s;
+}
+
+static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a,
+ const unsigned char **pp, long length,
+ int Ptag, int Pclass,
+ int depth, int *perr)
+{
ASN1_STRING *ret = NULL;
const unsigned char *p;
unsigned char *s;
long len;
int inf, tag, xclass;
- int i = 0;
+
+ if (depth > ASN1_BYTES_MAXDEPTH) {
+ *perr = ASN1_R_NESTED_ASN1_STRING;
+ return NULL;
+ }
if ((a == NULL) || ((*a) == NULL)) {
if ((ret = ASN1_STRING_new()) == NULL)
@@ -173,18 +201,19 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
p = *pp;
inf = ASN1_get_object(&p, &len, &tag, &xclass, length);
if (inf & 0x80) {
- i = ASN1_R_BAD_OBJECT_HEADER;
+ *perr = ASN1_R_BAD_OBJECT_HEADER;
goto err;
}
if (tag != Ptag) {
- i = ASN1_R_WRONG_TAG;
+ *perr = ASN1_R_WRONG_TAG;
goto err;
}
if (inf & V_ASN1_CONSTRUCTED) {
ASN1_const_CTX c;
+ c.error = 0;
c.pp = pp;
c.p = p;
c.inf = inf;
@@ -192,17 +221,18 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
c.tag = Ptag;
c.xclass = Pclass;
c.max = (length == 0) ? 0 : (p + length);
- if (!asn1_collate_primitive(ret, &c))
+ if (!asn1_collate_primitive(ret, &c, depth)) {
+ *perr = c.error;
goto err;
- else {
+ } else {
p = c.p;
}
} else {
if (len != 0) {
if ((ret->length < len) || (ret->data == NULL)) {
- s = (unsigned char *)OPENSSL_malloc((int)len + 1);
+ s = OPENSSL_malloc((int)len + 1);
if (s == NULL) {
- i = ERR_R_MALLOC_FAILURE;
+ *perr = ERR_R_MALLOC_FAILURE;
goto err;
}
if (ret->data != NULL)
@@ -230,7 +260,6 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
err:
if ((ret != NULL) && ((a == NULL) || (*a != ret)))
ASN1_STRING_free(ret);
- ASN1err(ASN1_F_D2I_ASN1_BYTES, i);
return (NULL);
}
@@ -242,7 +271,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
* There have been a few bug fixes for this function from Paul Keogh
* <paul....@sse.ie>, many thanks to him
*/
-static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c)
+static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c,
+ int depth)
{
ASN1_STRING *os = NULL;
BUF_MEM b;
@@ -270,9 +300,8 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c)
}
c->q = c->p;
- if (d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass)
- == NULL) {
- c->error = ERR_R_ASN1_LIB;
+ if (int_d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass,
+ depth + 1, &c->error) == NULL) {
goto err;
}
@@ -297,7 +326,6 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c)
ASN1_STRING_free(os);
return (1);
err:
- ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE, c->error);
if (os != NULL)
ASN1_STRING_free(os);
if (b.data != NULL)
Dr. Stephen Henson
Aug 4, 2016, 5:24:03 PM8/4/16
to
The branch OpenSSL_1_0_1-stable has been updated
via 3c39313f7bba2663961f6085bcd010e61004fe6e (commit)
from a199e0c39a21db79e44dc3c66f45726d1092983f (commit)
- Log -----------------------------------------------------------------
commit 3c39313f7bba2663961f6085bcd010e61004fe6e
Author: Kurt Roeckx <ku...@roeckx.be>
Date: Sat Jul 16 16:56:54 2016 +0200
Return error when trying to print invalid ASN1 integer
GH: #1322
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Stephen Henson <st...@openssl.org>
(cherry picked from commit 32baafb2f6fb2a424824df08232d86765f554880)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/tasn_prn.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c
index 5e7d53e..d163acb 100644
--- a/crypto/asn1/tasn_prn.c
+++ b/crypto/asn1/tasn_prn.c
@@ -446,6 +446,8 @@ static int asn1_print_integer_ctx(BIO *out, ASN1_INTEGER *str,
char *s;
int ret = 1;
s = i2s_ASN1_INTEGER(NULL, str);
+ if (s == NULL)
+ return 0;
if (BIO_puts(out, s) <= 0)
ret = 0;
OPENSSL_free(s);
Dr. Stephen Henson
Aug 5, 2016, 1:59:48 PM8/5/16
to
The branch OpenSSL_1_0_1-stable has been updated
via d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9 (commit)
from 3c39313f7bba2663961f6085bcd010e61004fe6e (commit)
- Log -----------------------------------------------------------------
commit d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Fri Aug 5 16:21:26 2016 +0100
Leak fixes.
Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and
a2i_ASN1_ENUMERATED().
Thanks to Shi Lei for reporting these issues.
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit e1be1dce7722ee40ced16b1b91d5e1b9fce13d08)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/f_enum.c | 4 ++--
crypto/asn1/f_int.c | 4 ++--
crypto/asn1/f_string.c | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c
index 591c3b5..94cd54d 100644
--- a/crypto/asn1/f_enum.c
+++ b/crypto/asn1/f_enum.c
@@ -160,8 +160,6 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
i * 2);
if (sp == NULL) {
ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
- if (s != NULL)
- OPENSSL_free(s);
goto err;
}
s = sp;
@@ -199,5 +197,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size)
err_sl:
ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_SHORT_LINE);
}
+ if (ret != 1)
+ OPENSSL_free(s);
return (ret);
}
diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c
index 4a81f81..2bdc78d 100644
--- a/crypto/asn1/f_int.c
+++ b/crypto/asn1/f_int.c
@@ -172,8 +172,6 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
sp = OPENSSL_realloc_clean(s, slen, num + i * 2);
if (sp == NULL) {
ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
- if (s != NULL)
- OPENSSL_free(s);
goto err;
}
s = sp;
@@ -211,5 +209,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size)
err_sl:
ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE);
}
+ if (ret != 1)
+ OPENSSL_free(s);
return (ret);
}
diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c
index 6a6cf34..0f7b9cf 100644
--- a/crypto/asn1/f_string.c
+++ b/crypto/asn1/f_string.c
@@ -166,8 +166,6 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
i * 2);
if (sp == NULL) {
ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE);
- if (s != NULL)
- OPENSSL_free(s);
goto err;
}
s = sp;
@@ -205,5 +203,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size)
err_sl:
ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE);
}
+ if (ret != 1)
+ OPENSSL_free(s);
return (ret);
Dr. Stephen Henson
Aug 5, 2016, 2:04:54 PM8/5/16
to
The branch OpenSSL_1_0_1-stable has been updated
via 7a4979815b3ce7d280ed30b3b1df2a23481c2331 (commit)from d23de0bbf9e2c7a64065e2bf1907c6cceda78eb9 (commit)
- Log -----------------------------------------------------------------
commit 7a4979815b3ce7d280ed30b3b1df2a23481c2331
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Fri Aug 5 17:59:32 2016 +0100
Sanity check input length in OPENSSL_uni2asc().
Thanks to Hanno Böck for reporting this bug.
Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 39a43280316f1b9c45be5ac5b04f4f5c3f923686)
Conflicts:
crypto/pkcs12/p12_utl.c
-----------------------------------------------------------------------
Summary of changes:
crypto/pkcs12/p12_utl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
index a0b992e..e466f76 100644
--- a/crypto/pkcs12/p12_utl.c
+++ b/crypto/pkcs12/p12_utl.c
@@ -91,6 +91,10 @@ char *OPENSSL_uni2asc(unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
+
+ /* string must contain an even number of bytes */
+ if (unilen & 1)
+ return NULL;
asclen = unilen / 2;
/* If no terminating zero allow for one */
if (!unilen || uni[unilen - 1])
0 new messages