From: Dr. Stephen Henson Date: Fri, 15 Apr 2016 01:37:09 +0000 (+0100) Subject: Fix ASN1_INTEGER handling. X-Git-Tag: OpenSSL_1_1_0-pre6~952 X-Git-Url: https://git.openssl.org/?a=commitdiff_plain;h=d7ab691bc479d3cf2eea07329db6ce0e2589f0b9;hp=d202a602e07b7090e3e5d75216b47cc7eb6fd4b6;p=openssl.git Fix ASN1_INTEGER handling. Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER tag: V_ASN1_NEG_INTEGER is an internal only value which is never used for on the wire encoding. Thanks to David Benjamin for reporting this bug. This was found using libFuzzer. RT#4364 (part)CVE-2016-2108. Reviewed-by: Emilia Käsper --- diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 8dea2e0e5c..e132b0c40a 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -122,9 +122,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 571592199f..dd96dafeb3 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -858,9 +858,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 0d25cf9d75..ae00a61d6e 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -600,9 +600,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, cout ? &cout : NULL); case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */