Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4385)

Fix overflow in c2i_ASN1_BIT_STRING.
c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4385)
6b1c8204 · David Benjamin · Andy Polyakov · d2ef6e4e · 6b1c8204
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

crypto/asn1/a_bitstr.c crypto/asn1/a_bitstr.c +6 -0

未找到文件。
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -7,6 +7,7 @@
 * https://www.openssl.org/source/license.html
 */

+#include <limits.h>
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1.h>
@@ -88,6 +89,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
        goto err;
    }

+    if (len > INT_MAX) {
+        i = ASN1_R_STRING_TOO_LONG;
+        goto err;
+    }
+
    if ((a == NULL) || ((*a) == NULL)) {
        if ((ret = ASN1_BIT_STRING_new()) == NULL)
            return (NULL);