From: Ulf Möller <ulf@openssl.org>
Date: Fri, 3 Dec 1999 23:56:08 +0000 (+0000)
Subject: Circumvent an exploitable buffer overrun error in RSA Security's RSAREF
X-Git-Tag: OpenSSL_0_9_5beta1~393
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=cd9860af26bf1acb404dc1ab7a2738e817ebcd1f;hp=23fb9bc0eb455d1a0a561a7fdcddf9bfacd96f1a

Circumvent an exploitable buffer overrun error in RSA Security's RSAREF
library. See: http://www.CORE-SDI.COM/english/ssh/index.html

Submitted by:
Reviewed by:
PR:
---

diff --git a/rsaref/rsaref.c b/rsaref/rsaref.c
index 7677eb9fce..1a4c0f378b 100644
--- a/rsaref/rsaref.c
+++ b/rsaref/rsaref.c
@@ -209,6 +209,11 @@ int RSA_ref_private_decrypt(int len, unsigned char *from, unsigned char *to,
 
 	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
 		goto err;
+	if (len > RSAref_MAX_LEN)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_DECRYPT,RSAREF_R_LEN);
+		goto err;
+		}
 	if ((i=RSAPrivateDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_DECRYPT,i);
@@ -232,6 +237,11 @@ int RSA_ref_private_encrypt(int len, unsigned char *from, unsigned char *to,
 	}
 	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
 		goto err;
+	if (len + 3 > RSAref_MAX_LEN)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,RSAREF_R_LEN);
+		goto err;
+		}
 	if ((i=RSAPrivateEncrypt(to,&outlen,from,len,&RSAkey)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSA_REF_PRIVATE_ENCRYPT,i);
@@ -250,6 +260,12 @@ int RSA_ref_public_decrypt(int len, unsigned char *from, unsigned char *to,
 
 	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
 		goto err;
+	if (len > RSAref_MAX_LEN)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_DECRYPT,RSAREF_R_LEN);
+		goto err;
+		}
+		goto err;
 	if ((i=RSAPublicDecrypt(to,&outlen,from,len,&RSAkey)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_DECRYPT,i);
@@ -286,6 +302,11 @@ int RSA_ref_public_encrypt(int len, unsigned char *from, unsigned char *to,
 
 	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
 		goto err;
+	if (len + 3 > RSAref_MAX_LEN)
+		{
+		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,RSAREF_R_LEN);
+		goto err;
+		}
 	if ((i=RSAPublicEncrypt(to,&outlen,from,len,&RSAkey,&rnd)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSA_REF_PUBLIC_ENCRYPT,i);