author Viktor Dukhovni Thu, 14 Apr 2016 03:14:43 +0000 (23:14 -0400) committer Viktor Dukhovni Thu, 14 Apr 2016 06:41:30 +0000 (02:41 -0400)
Introduced in:

Date:   Tue Mar 29 19:37:57 2016 +0100

Fix buffer overrun in ASN1_parse().

Problem input:

https://tools.ietf.org/html/draft-ietf-curdle-pkix-eddsa-00#section-8.1
-----BEGIN PUBLIC KEY-----
MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
-----END PUBLIC KEY-----

Previously:

0:d=0  hl=2 l=  45 cons: SEQUENCE
2:d=1  hl=2 l=   8 cons: SEQUENCE
4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
Error in encoding

Now:

0:d=0  hl=2 l=  45 cons: SEQUENCE
2:d=1  hl=2 l=   8 cons: SEQUENCE
4:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.100
9:d=2  hl=2 l=   1 prim: ENUMERATED        :02
12:d=1  hl=2 l=  33 prim: BIT STRING
0000 - 00 19 bf 44 09 69 84 cd-fe 85 41 ba c1 67 dc 3b   ...D.i....A..g.;
0010 - 96 c8 50 86 aa 30 b6 b6-cb 0c 5c 38 ad 70 31 66   ..P..0....\8.p1f
0020 - e1                                                .

Reviewed-by: Richard Levitte <levitte@openssl.org>

index b721273cf1757f32198ffc36bbc9af06366948a3..e41282094dec2ce80b4899c279e860e125bafd1b 100644 (file)
@@ -189,18 +189,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
}
}
} else {
+                long tmp = len;
+
while (p < ep) {
sp = p;
-                    r = asn1_parse2(bp, &p, len,
+                    r = asn1_parse2(bp, &p, tmp,
offset + (p - *pp), depth + 1,
indent, dump);
if (r == 0) {
ret = 0;
goto end;
}
-                    len -= p - sp;
+                    tmp -= p - sp;
}
-                len = length;
}
} else if (xclass != 0) {
p += len;