Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index c429342e03d42a533fff8ce66aaf39e45e027db9..0c8bb144a099b4fe5f2f4f2d53fc3ff7738097a6 100644 (file)
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
@@ -136,6 +137,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
         goto err;
     }
 
+    if (len > INT_MAX) {
+        i = ASN1_R_STRING_TOO_LONG;
+        goto err;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = M_ASN1_BIT_STRING_new()) == NULL)
             return (NULL);