Ensure we check i2d_X509 return val

The i2d_X509() function can return a negative value on error. Therefore we should make sure we check it. Issue reported by Yuan Jochen Kang. Reviewed-by: N Emilia Käsper <emilia@openssl.org>

Ensure we check i2d_X509 return val
The i2d_X509() function can return a negative value on error. Therefore we should make sure we check it. Issue reported by Yuan Jochen Kang. Reviewed-by: N Emilia Käsper <emilia@openssl.org>
446ba8de · Matt Caswell · baf1a304 · 446ba8de · 446ba8de
隐藏空白更改
内联并排

Showing with 19 addition and 5 deletion

crypto/x509/x_x509.c crypto/x509/x_x509.c +12 -3

ssl/ssl_cert.c ssl/ssl_cert.c +7 -2

未找到文件。
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -182,10 +182,19 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)

 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
-    int length;
+    int length, tmplen;
+    unsigned char *start = *pp;
    length = i2d_X509(a, pp);
-    if (a)
-        length += i2d_X509_CERT_AUX(a->aux, pp);
+    if (length < 0 || a == NULL)
+        return length;
+
+    tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+    if (tmplen < 0) {
+        *pp = start;
+        return tmplen;
+    }
+    length += tmplen;
+
    return length;
 }


--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -836,13 +836,18 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
    unsigned char *p;

    n = i2d_X509(x, NULL);
-    if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {
+    if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) {
        SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
        return 0;
    }
    p = (unsigned char *)&(buf->data[*l]);
    l2n3(n, p);
-    i2d_X509(x, &p);
+    n = i2d_X509(x, &p);
+    if (n < 0) {
+        /* Shouldn't happen */
+        SSLerr(SSL_F_SSL_ADD_CERT_TO_BUF, ERR_R_BUF_LIB);
+        return 0;
+    }
    *l += n + 3;

    return 1;