Fix ASN1_TYPE_cmp
authorDr. Stephen Henson <steve@openssl.org>
Mon, 9 Mar 2015 23:11:45 +0000 (23:11 +0000)
committerMatt Caswell <matt@openssl.org>
Thu, 19 Mar 2015 13:01:13 +0000 (13:01 +0000)
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
crypto/asn1/a_type.c

index 13ecfcd9b9b03a4a28185b829e42c91c3ab3da30..e7ec49d39ae120cfa90c60b1e0bfc4885449a2af 100644 (file)
@@ -115,6 +115,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
     case V_ASN1_OBJECT:
         result = OBJ_cmp(a->value.object, b->value.object);
         break;
+    case V_ASN1_BOOLEAN:
+        result = a->value.boolean - b->value.boolean;
+        break;
     case V_ASN1_NULL:
         result = 0;             /* They do not have content. */
         break;