From bdcd660e33710079b495cf5cc6a1aaa5d2dcd317 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Wed, 13 Apr 2016 23:14:43 -0400 Subject: [PATCH] Bugfix: in asn1parse avoid erroneous len after a sub-sequence Introduced in: commit 79c7f74d6cefd5d32fa20e69195ad3de834ce065 Author: Ben Laurie Date: Tue Mar 29 19:37:57 2016 +0100 Fix buffer overrun in ASN1_parse(). Problem input: https://tools.ietf.org/html/draft-ietf-curdle-pkix-eddsa-00#section-8.1 -----BEGIN PUBLIC KEY----- MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE= -----END PUBLIC KEY----- Previously: 0:d=0 hl=2 l= 45 cons: SEQUENCE 2:d=1 hl=2 l= 8 cons: SEQUENCE 4:d=2 hl=2 l= 3 prim: OBJECT :1.3.101.100 9:d=2 hl=2 l= 1 prim: ENUMERATED :02 Error in encoding 140735164989440:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../openssl/crypto/asn1/asn1_lib.c:148: Now: 0:d=0 hl=2 l= 45 cons: SEQUENCE 2:d=1 hl=2 l= 8 cons: SEQUENCE 4:d=2 hl=2 l= 3 prim: OBJECT :1.3.101.100 9:d=2 hl=2 l= 1 prim: ENUMERATED :02 12:d=1 hl=2 l= 33 prim: BIT STRING 0000 - 00 19 bf 44 09 69 84 cd-fe 85 41 ba c1 67 dc 3b ...D.i....A..g.; 0010 - 96 c8 50 86 aa 30 b6 b6-cb 0c 5c 38 ad 70 31 66 ..P..0....\8.p1f 0020 - e1 . Reviewed-by: Richard Levitte --- crypto/asn1/asn1_par.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index b721273cf1..e41282094d 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -189,18 +189,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, } } } else { + long tmp = len; + while (p < ep) { sp = p; - r = asn1_parse2(bp, &p, len, + r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1, indent, dump); if (r == 0) { ret = 0; goto end; } - len -= p - sp; + tmp -= p - sp; } - len = length; } } else if (xclass != 0) { p += len; -- 2.34.1