projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0275883) | patch
PKCS#7: avoid NULL pointer dereferences with missing content
authorEmilia Kasper <emilia@openssl.org>
Fri, 27 Feb 2015 15:52:23 +0000 (16:52 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 19 Mar 2015 13:00:11 +0000 (13:00 +0000)
commit9104dc42558665e851e240e4e12030bef459787c
tree378c50eb003078469eeef4a00c99915354927a44tree | snapshot
parent02758836731658381580e282ff403ba07d87b2f8commit | diff
PKCS#7: avoid NULL pointer dereferences with missing content

In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
crypto/pkcs7/pk7_doit.c diff | blob | history
crypto/pkcs7/pk7_lib.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.