Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Fix by checking return value of BN_div_word() and checking writes don't overflow buffer. Thanks to Shi Lei for reporting this bug. CVE-2016-2182 Reviewed-by: N Tim Hudson <tjh@openssl.org>

Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Fix by checking return value of BN_div_word() and checking writes don't overflow buffer. Thanks to Shi Lei for reporting this bug. CVE-2016-2182 Reviewed-by: N Tim Hudson <tjh@openssl.org>
07bed46f · Dr. Stephen Henson · 40c60b0d · 07bed46f
隐藏空白更改
内联并排

Showing with 7 addition and 1 deletion

crypto/bn/bn_print.c crypto/bn/bn_print.c +7 -1

未找到文件。
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -62,6 +62,7 @@ char *BN_bn2dec(const BIGNUM *a)
    char *p;
    BIGNUM *t = NULL;
    BN_ULONG *bn_data = NULL, *lp;
+    int bn_data_num;

    /*-
     * get an upper bound for the length of the decimal integer
@@ -71,7 +72,8 @@ char *BN_bn2dec(const BIGNUM *a)
     */
    i = BN_num_bits(a) * 3;
    num = (i / 10 + i / 1000 + 1) + 1;
-    bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+    bn_data_num = num / BN_DEC_NUM + 1;
+    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
    buf = OPENSSL_malloc(num + 3);
    if ((buf == NULL) || (bn_data == NULL)) {
        BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -93,7 +95,11 @@ char *BN_bn2dec(const BIGNUM *a)
        i = 0;
        while (!BN_is_zero(t)) {
            *lp = BN_div_word(t, BN_DEC_CONV);
+            if (*lp == (BN_ULONG)-1)
+                goto err;
            lp++;
+            if (lp - bn_data >= bn_data_num)
+                goto err;
        }
        lp--;
        /*