Allocate ASN1_bn_print buffer internally.
authorDr. Stephen Henson <steve@openssl.org>
Thu, 4 Feb 2016 18:53:07 +0000 (18:53 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 5 Feb 2016 00:33:33 +0000 (00:33 +0000)
Don't require an application to work out the appropriate buffer size for
ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate
it internally instead.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
crypto/asn1/t_pkey.c

index afe347b..b17862c 100644 (file)
@@ -91,14 +91,16 @@ int ASN1_buf_print(BIO *bp, unsigned char *buf, size_t buflen, int indent)
 }
 
 int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
-                  unsigned char *buf, int indent)
+                  unsigned char *ign, int indent)
 {
-    int n;
+    int n, rv = 0;
     const char *neg;
+    unsigned char *buf = NULL, *tmp = NULL;
+    int buflen;
 
     if (num == NULL)
         return 1;
-    neg = (BN_is_negative(num)) ? "-" : "";
+    neg = BN_is_negative(num) ? "-" : "";
     if (!BIO_indent(bp, indent, ASN1_PRINT_MAX_INDENT))
         return 0;
     if (BN_is_zero(num)) {
@@ -111,21 +113,29 @@ int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
         if (BIO_printf(bp, "%s %s%lu (%s0x%lx)\n", number, neg,
                        (unsigned long)bn_get_words(num)[0], neg,
                        (unsigned long)bn_get_words(num)[0]) <= 0)
-            return (0);
-    } else {
-        buf[0] = 0;
-        if (BIO_printf(bp, "%s%s\n", number,
-                       (neg[0] == '-') ? " (Negative)" : "") <= 0)
-            return (0);
-        n = BN_bn2bin(num, &buf[1]);
-
-        if (buf[1] & 0x80)
-            n++;
-        else
-            buf++;
-
-        if (ASN1_buf_print(bp, buf, n, indent + 4) == 0)
             return 0;
+        return 1;
     }
-    return 1;
+
+    buflen = BN_num_bytes(num) + 1;
+    buf = tmp = OPENSSL_malloc(buflen);
+    if (buf == NULL)
+        goto err;
+    buf[0] = 0;
+    if (BIO_printf(bp, "%s%s\n", number,
+                   (neg[0] == '-') ? " (Negative)" : "") <= 0)
+        goto err;
+    n = BN_bn2bin(num, buf + 1);
+
+    if (buf[1] & 0x80)
+        n++;
+    else
+        tmp++;
+
+    if (ASN1_buf_print(bp, tmp, n, indent + 4) == 0)
+        goto err;
+    rv = 1;
+    err:
+    OPENSSL_clear_free(buf, buflen);
+    return rv;
 }