Return error when a bit string indicates an invalid amount of bits left
authorKurt Roeckx <kurt@roeckx.be>
Mon, 15 Dec 2014 16:15:16 +0000 (17:15 +0100)
committerKurt Roeckx <kurt@roeckx.be>
Thu, 18 Dec 2014 14:12:00 +0000 (15:12 +0100)
Reviewed-by: Matt Caswell <matt@openssl.org>
crypto/asn1/a_bitstr.c
crypto/asn1/asn1.h
crypto/asn1/asn1_err.c

index 34179960b87aed426902213ab2640ec6f4998d58..4117a67dc36fe7756787bbfa9bfffcf1c0d094a3 100644 (file)
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
        p= *pp;
        i= *(p++);
+       if (i > 7)
+               {
+               i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+               goto err;
+               }
        /* We do this to preserve the settings.  If we modify
         * the settings, via the _set_bit function, we will recalculate
         * on output */
        ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
        if (len-- > 1) /* using one because of the bits left byte */
                {
index 89a2ad40991ff4f2ea6334320b3b43b48123fd35..672c97f792bbef1023d9170ac44af7a1e55c7cc5 100644 (file)
@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE                       184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT                         185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG               128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT             220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH                         129
 #define ASN1_R_INVALID_DIGIT                            130
 #define ASN1_R_INVALID_MIME_TYPE                        205
index 73686de8e7f6915b3ce4cb271e63ba9c18bce84e..568a8416b8116d3bdb65a09a019fe4f70c4c3237 100644 (file)
@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},