Fix OID handling:

[openssl.git] / crypto / asn1 / a_object.c

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index f1a5a1e31e4a9367c0a657df1b9c782a44f5ed99..84db02551e2d50fd3df25725a397d40d79ba95ef 100644 (file)
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -139,7 +139,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
                                ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
                                goto err;
                                }
-                       if (!use_bn && l > (ULONG_MAX / 10L))
+                       if (!use_bn && l >= ((ULONG_MAX - 80) / 10L))
                                {
                                use_bn = 1;
                                if (!bl)
@@ -248,7 +248,11 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
                i2t_ASN1_OBJECT(p,i + 1,a);
                }
        if (i <= 0)
-               return BIO_write(bp, "<INVALID>", 9);
+                {
+                i = BIO_write(bp, "<INVALID>", 9);
+                i += BIO_dump(bp, (const char *)a->data, a->length);
+                return i;
+                }
        BIO_write(bp,p,i);
        if (p != buf)
                OPENSSL_free(p);
@@ -283,13 +287,36 @@ err:
        ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
        return(NULL);
 }
+
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
             long len)
        {
        ASN1_OBJECT *ret=NULL;
        const unsigned char *p;
        unsigned char *data;
-       int i;
+       int i, length;
+
+       /* Sanity check OID encoding.
+        * Need at least one content octet.
+        * MSB must be clear in the last octet.
+        * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
+        */
+       if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
+           p[len - 1] & 0x80)
+               {
+               ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
+               return NULL;
+               }
+       /* Now 0 < len <= INT_MAX, so the cast is safe. */
+       length = (int)len;
+       for (i = 0; i < length; i++, p++)
+               {
+               if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
+                       {
+                       ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
+                       return NULL;
+                       }
+               }
 
        /* only the ASN1_OBJECTs from the 'table' will have values
         * for ->sn or ->ln */
@@ -305,23 +332,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
        data = (unsigned char *)ret->data;
        ret->data = NULL;
        /* once detached we can change it */
-       if ((data == NULL) || (ret->length < len))
+       if ((data == NULL) || (ret->length < length))
                {
                ret->length=0;
                if (data != NULL) OPENSSL_free(data);
-               data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
+               data=(unsigned char *)OPENSSL_malloc(length);
                if (data == NULL)
                        { i=ERR_R_MALLOC_FAILURE; goto err; }
                ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
                }
-       memcpy(data,p,(int)len);
+       memcpy(data,p,length);
        /* reattach data to object, after which it remains const */
        ret->data  =data;
-       ret->length=(int)len;
+       ret->length=length;
        ret->sn=NULL;
        ret->ln=NULL;
        /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-       p+=len;
+       p+=length;
 
        if (a != NULL) (*a)=ret;
        *pp=p;