From 22e311ce2e0d9ac0e1cac60a3ac30fc48cedf1de Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 18 Sep 2017 15:58:41 -0400 Subject: [PATCH] Fix overflow in c2i_ASN1_BIT_STRING. c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: Richard Levitte Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/4385) (cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950) --- crypto/asn1/a_bitstr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 33be907f9d..b2e0fb6882 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #include #include "internal/cryptlib.h" #include @@ -88,6 +89,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, goto err; } + if (len > INT_MAX) { + i = ASN1_R_STRING_TOO_LONG; + goto err; + } + if ((a == NULL) || ((*a) == NULL)) { if ((ret = ASN1_BIT_STRING_new()) == NULL) return (NULL); -- 2.25.1