From f962541d0be200055e508641ddf3a8ec8819e4df Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 14 Oct 2016 11:51:43 +0100 Subject: [PATCH] Don't set choice selector on parse failure. Don't set choice selector on parse failure: this can pass unexpected values to the choice callback. Instead free up partial structure directly. CVE-2016-7053 Thanks to Tyler Nighswander of ForAllSecure for reporting this issue. Reviewed-by: Richard Levitte --- crypto/asn1/tasn_dec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 679a50dce5..c9b637516e 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -225,16 +225,14 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, /* If field not present, try the next one */ if (ret == -1) continue; - /* - * Set the choice selector here to ensure that the value is - * correctly freed upon error. It may be partially initialized - * even if parsing failed. - */ - asn1_set_choice_selector(pval, i, it); /* If positive return, read OK, break loop */ if (ret > 0) break; - /* Otherwise must be an ASN1 parsing error */ + /* + * Must be an ASN1 parsing error. + * Free up any partial choice value + */ + asn1_template_free(pchptr, tt); errtt = tt; ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; @@ -252,6 +250,8 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } + asn1_set_choice_selector(pval, i, it); + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) goto auxerr; *in = p; -- 2.34.1