From ecca16632a73bb80ee27cdec8a97f6def0a4714d Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Tue, 21 Feb 2017 13:07:13 -0500 Subject: [PATCH] Prevent OOB in SRP base64 code. Change size comparison from > (GT) to >= (GTE) to ensure an additional byte of output buffer, to prevent OOB reads/writes later in the function Reject input strings larger than 2GB Detect invalid output buffer size and return early Reviewed-by: Richard Levitte Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2672) --- crypto/srp/srp_vfy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 188fad27e1..29b7afcb04 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -36,10 +36,13 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) int i, j; int size; + if (alen == 0 || alen > INT_MAX) + return -1; + while (*src && (*src == ' ' || *src == '\t' || *src == '\n')) ++src; size = strlen(src); - if (alen > INT_MAX || size > (int)alen) + if (size < 0 || size >= (int)alen) return -1; i = 0; @@ -77,7 +80,7 @@ static int t_fromb64(unsigned char *a, size_t alen, const char *src) if (--i < 0) break; } - while (a[j] == 0 && j <= size) + while (j <= size && a[j] == 0) ++j; i = 0; while (j <= size) -- 2.25.1