From: Dr. Stephen Henson Date: Mon, 15 Aug 2016 15:52:21 +0000 (+0100) Subject: Limit reads in do_b2i_bio() X-Git-Tag: OpenSSL_1_0_2i~84 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b552f32dcb9826c7d08980bc1acf52aa52abb8a1;p=oweals%2Fopenssl.git Limit reads in do_b2i_bio() Apply a limit to the maximum blob length which can be read in do_d2i_bio() to avoid excessive allocation. Thanks to Shi Lei for reporting this. Reviewed-by: Rich Salz (cherry picked from commit 66bcba145740e4f1210499ba6e5033035a2a4647) --- diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 61864468f6..1ce5a1e319 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -127,6 +127,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) # define MS_KEYTYPE_KEYX 0x1 # define MS_KEYTYPE_SIGN 0x2 +/* Maximum length of a blob after header */ +# define BLOB_MAX_LENGTH 102400 + /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ # define MS_PVKMAGIC 0xb0b5f11eL /* Salt length for PVK files */ @@ -272,6 +275,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub) return NULL; length = blob_length(bitlen, isdss, ispub); + if (length > BLOB_MAX_LENGTH) { + PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG); + return NULL; + } buf = OPENSSL_malloc(length); if (!buf) { PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);