58 lines
1.7 KiB
Diff
58 lines
1.7 KiB
Diff
From 163897267fab6d29dff1a4bf8247f8e02e158be8 Mon Sep 17 00:00:00 2001
|
|
From: Pauli <paul.dale@oracle.com>
|
|
Date: Mon, 6 Apr 2020 09:23:00 +1000
|
|
Subject: [PATCH 012/217] Integer overflow in ASN1_STRING_set.
|
|
|
|
Addressing a potential integer overflow condition.
|
|
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/11473)
|
|
|
|
(cherry picked from commit 96218269f4c2da82f143727fb7697d572c190bc5)
|
|
---
|
|
crypto/asn1/asn1_lib.c | 21 ++++++++++++++++-----
|
|
1 file changed, 16 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
|
|
index a7d32ae..5cd0e16 100644
|
|
--- a/crypto/asn1/asn1_lib.c
|
|
+++ b/crypto/asn1/asn1_lib.c
|
|
@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str)
|
|
return ret;
|
|
}
|
|
|
|
-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
|
|
+int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
|
|
{
|
|
unsigned char *c;
|
|
const char *data = _data;
|
|
+ size_t len;
|
|
|
|
- if (len < 0) {
|
|
+ if (len_in < 0) {
|
|
if (data == NULL)
|
|
return 0;
|
|
- else
|
|
- len = strlen(data);
|
|
+ len = strlen(data);
|
|
+ } else {
|
|
+ len = (size_t)len_in;
|
|
+ }
|
|
+ /*
|
|
+ * Verify that the length fits within an integer for assignment to
|
|
+ * str->length below. The additional 1 is subtracted to allow for the
|
|
+ * '\0' terminator even though this isn't strictly necessary.
|
|
+ */
|
|
+ if (len > INT_MAX - 1) {
|
|
+ ASN1err(0, ASN1_R_TOO_LARGE);
|
|
+ return 0;
|
|
}
|
|
- if ((str->length <= len) || (str->data == NULL)) {
|
|
+ if ((size_t)str->length <= len || str->data == NULL) {
|
|
c = str->data;
|
|
str->data = OPENSSL_realloc(c, len + 1);
|
|
if (str->data == NULL) {
|
|
--
|
|
1.8.3.1
|
|
|