calculation and check overflow against LONG_MAX.
Changes between 0.9.6e and 0.9.6f [XX xxx XXXX]
+ *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
+ and get fix the header length calculation.
+ [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
+ Alon Kantor <alonk@checkpoint.com> (and others),
+ Steve Henson]
+
*) Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()).
*/
#include <stdio.h>
+#include <limits.h>
#include "cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/asn1_mac.h>
(int)(omax+ *pp));
#endif
- if (*plength > (omax - (*pp - p)))
+ if (*plength > (omax - (*p - *pp)))
{
ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
/* Set this so that even if things are not long enough
static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
{
unsigned char *p= *pp;
- long ret=0;
+ unsigned long ret=0;
int i;
if (max-- < 1) return(0);
else
ret=i;
}
- if (ret < 0)
+ if (ret > LONG_MAX)
return 0;
*pp=p;
- *rl=ret;
+ *rl=(long)ret;
return(1);
}
projects / oweals / openssl.git / commitdiff