Check for integer overflow in i2a_ASN1_OBJECT and error out if found.

Problem reported by Scott McPeak <scott.g.mcpeak@gmail.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14768)

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 6967ab44e89f281adf8a8b6389629aea1c059fdc..9d8f48b73cd26130b1f4033ea0c537ae028c7a40 100644 (file)
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -190,6 +190,10 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a)
         return BIO_write(bp, "NULL", 4);
     i = i2t_ASN1_OBJECT(buf, sizeof(buf), a);
     if (i > (int)(sizeof(buf) - 1)) {
+        if (i > INT_MAX - 1) {  /* catch an integer overflow */
+            ERR_raise(ERR_LIB_ASN1, ASN1_R_LENGTH_TOO_LONG);
+            return -1;
+        }
         if ((p = OPENSSL_malloc(i + 1)) == NULL) {
             ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
             return -1;
@@ -349,9 +353,11 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
     if (a == NULL)
         return;
     if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) {
-#ifndef CONST_STRICT            /* disable purely for compile-time strict
-                                 * const checking. Doing this on a "real"
-                                 * compile will cause memory leaks */
+#ifndef CONST_STRICT
+        /*
+         * Disable purely for compile-time strict const checking.  Doing this
+         * on a "real" compile will cause memory leaks
+         */
         OPENSSL_free((void*)a->sn);
         OPENSSL_free((void*)a->ln);
 #endif

diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
index 8957519cb26439534327f568b0bf449c420b8349..af706e638eb6d08a8b61a9887ae9281696ef8659 100644 (file)
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -109,6 +109,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = {
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING),
     "invalid utf8string"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_VALUE), "invalid value"},
+    {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_TOO_LONG), "length too long"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "list error"},
     {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE),
     "mime no content type"},

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index aed5b72cff56109b9ea733e9cca3c2fa0943ea25..07439f7c4ae6ed4c1031eb4e8f09cfbb90e6a803 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -66,6 +66,7 @@ ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value
 ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length
 ASN1_R_INVALID_UTF8STRING:134:invalid utf8string
 ASN1_R_INVALID_VALUE:219:invalid value
+ASN1_R_LENGTH_TOO_LONG:231:length too long
 ASN1_R_LIST_ERROR:188:list error
 ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type
 ASN1_R_MIME_PARSE_ERROR:207:mime parse error

diff --git a/include/crypto/asn1err.h b/include/crypto/asn1err.h
index 21800a0ac34b7ab8953ab6194532dc6abd1beacf..9b623555f8382e57caa0ef1bfa1209fb31e3b972 100644 (file)
--- a/include/crypto/asn1err.h
+++ b/include/crypto/asn1err.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy

diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h
index 1a20fe82c265262294486ef01adef06cc2ddc052..d4276220cbbe62f63c35ab8429f40af452a45257 100644 (file)
--- a/include/openssl/asn1err.h
+++ b/include/openssl/asn1err.h
@@ -81,6 +81,7 @@
 # define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH            133
 # define ASN1_R_INVALID_UTF8STRING                        134
 # define ASN1_R_INVALID_VALUE                             219
+# define ASN1_R_LENGTH_TOO_LONG                           231
 # define ASN1_R_LIST_ERROR                                188
 # define ASN1_R_MIME_NO_CONTENT_TYPE                      206
 # define ASN1_R_MIME_PARSE_ERROR                          207