From 080669804799b2fef788029555ac7b26f3e67881 Mon Sep 17 00:00:00 2001 From: Pauli Date: Sun, 4 Apr 2021 13:52:06 +1000 Subject: [PATCH] Check for integer overflow in i2a_ASN1_OBJECT and error out if found. Problem reported by Scott McPeak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14768) --- crypto/asn1/a_object.c | 12 +++++++++--- crypto/asn1/asn1_err.c | 3 ++- crypto/err/openssl.txt | 1 + include/crypto/asn1err.h | 2 +- include/openssl/asn1err.h | 1 + 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 6967ab44e8..9d8f48b73c 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -190,6 +190,10 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) return BIO_write(bp, "NULL", 4); i = i2t_ASN1_OBJECT(buf, sizeof(buf), a); if (i > (int)(sizeof(buf) - 1)) { + if (i > INT_MAX - 1) { /* catch an integer overflow */ + ERR_raise(ERR_LIB_ASN1, ASN1_R_LENGTH_TOO_LONG); + return -1; + } if ((p = OPENSSL_malloc(i + 1)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; @@ -349,9 +353,11 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a) if (a == NULL) return; if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) { -#ifndef CONST_STRICT /* disable purely for compile-time strict - * const checking. Doing this on a "real" - * compile will cause memory leaks */ +#ifndef CONST_STRICT + /* + * Disable purely for compile-time strict const checking. Doing this + * on a "real" compile will cause memory leaks + */ OPENSSL_free((void*)a->sn); OPENSSL_free((void*)a->ln); #endif diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 8957519cb2..af706e638e 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -109,6 +109,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING), "invalid utf8string"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_VALUE), "invalid value"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_TOO_LONG), "length too long"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "list error"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE), "mime no content type"}, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index aed5b72cff..07439f7c4a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -66,6 +66,7 @@ ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length ASN1_R_INVALID_UTF8STRING:134:invalid utf8string ASN1_R_INVALID_VALUE:219:invalid value +ASN1_R_LENGTH_TOO_LONG:231:length too long ASN1_R_LIST_ERROR:188:list error ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type ASN1_R_MIME_PARSE_ERROR:207:mime parse error diff --git a/include/crypto/asn1err.h b/include/crypto/asn1err.h index 21800a0ac3..9b623555f8 100644 --- a/include/crypto/asn1err.h +++ b/include/crypto/asn1err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index 1a20fe82c2..d4276220cb 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -81,6 +81,7 @@ # define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 133 # define ASN1_R_INVALID_UTF8STRING 134 # define ASN1_R_INVALID_VALUE 219 +# define ASN1_R_LENGTH_TOO_LONG 231 # define ASN1_R_LIST_ERROR 188 # define ASN1_R_MIME_NO_CONTENT_TYPE 206 # define ASN1_R_MIME_PARSE_ERROR 207 -- 2.39.2