projects / oweals / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d202a60)
Fix ASN1_INTEGER handling.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 15 Apr 2016 01:37:09 +0000 (02:37 +0100)
committerMatt Caswell <matt@openssl.org>
Tue, 3 May 2016 12:06:15 +0000 (13:06 +0100)
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.

Thanks to David Benjamin <davidben@google.com> for reporting this bug.

This was found using libFuzzer.

RT#4364 (part)CVE-2016-2108.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
crypto/asn1/a_type.c patch | blob | history
crypto/asn1/tasn_dec.c patch | blob | history
crypto/asn1/tasn_enc.c patch | blob | history

diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 8dea2e0e5cbd6bb763e914a5ccf4b4d0b3ab6747..e132b0c40afeb6061e62a15ba7fa26e05f16937d 100644 (file)
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -122,9 +122,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
         result = 0;             /* They do not have content. */
         break;
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
     case V_ASN1_BIT_STRING:
     case V_ASN1_OCTET_STRING:
     case V_ASN1_SEQUENCE:
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 571592199f907ade360a1dcd3df6b40ab9a08176..dd96dafeb37777d814051262f7e6981843208824 100644 (file)
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -858,9 +858,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         tint = (ASN1_INTEGER **)pval;
         if (!c2i_ASN1_INTEGER(tint, &cont, len))
             goto err;
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 0d25cf9d75e7e3ec299d063bbb2f2c99d69501c8..ae00a61d6e24f212a7a6272c256ddbdcd7079dcf 100644 (file)
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -600,9 +600,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
                                    cout ? &cout : NULL);
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         /*
          * These are all have the same content format as ASN1_INTEGER
          */
Unnamed repository; edit this file 'description' to name the repository.