Return error when a bit string indicates an invalid amount of bits left

author Kurt Roeckx <kurt@roeckx.be>

Mon, 15 Dec 2014 16:15:16 +0000 (17:15 +0100)

committer Dr. Stephen Henson <steve@openssl.org>

Mon, 5 Jan 2015 15:23:42 +0000 (15:23 +0000)
author Kurt Roeckx <kurt@roeckx.be>
Mon, 15 Dec 2014 16:15:16 +0000 (17:15 +0100)
committer Dr. Stephen Henson <steve@openssl.org>
Mon, 5 Jan 2015 15:23:42 +0000 (15:23 +0000)
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c

index 0fb9ce0c2aea189ce384b988361b868d758f9efa..665fc09a1dc56c8e985af263819a4c620615ac68 100644 (file)
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
  
         p= *pp;
         i= *(p++);
+       if (i > 7)
+               {
+               i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+               goto err;
+               }
         /* We do this to preserve the settings.  If we modify
          * the settings, via the _set_bit function, we will recalculate
          * on output */
         ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
  
         if (len-- > 1) /* using one because of the bits left byte */
                 {
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h

index 4add41e741a80cd49f405fa966e92f6c3838acc1..aeb3f4c1b4ed97008fd183e5e9f6c3454d7f98b0 100644 (file)
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -1260,6 +1260,7 @@ void ERR_load_ASN1_strings(void);
  #define ASN1_R_ILLEGAL_TIME_VALUE                       184
  #define ASN1_R_INTEGER_NOT_ASCII_FORMAT                         185
  #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG               128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT             220
  #define ASN1_R_INVALID_BMPSTRING_LENGTH                         129
  #define ASN1_R_INVALID_DIGIT                            130
  #define ASN1_R_INVALID_MIME_TYPE                        200
diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c

index afe037d7e98a0ed9a94d0d8d3a308a2722a33c4a..92b4f8f100bbe0a853022c37392cb7feb7a2b3f0 100644 (file)
--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -235,6 +235,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
  {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
  {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
  {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
  {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
  {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
  {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},
author	Kurt Roeckx <kurt@roeckx.be>
	Mon, 15 Dec 2014 16:15:16 +0000 (17:15 +0100)
committer	Dr. Stephen Henson <steve@openssl.org>
	Mon, 5 Jan 2015 15:23:42 +0000 (15:23 +0000)
crypto/asn1/a_bitstr.c		patch \| blob \| blame \| history
crypto/asn1/asn1.h		patch \| blob \| blame \| history
crypto/asn1/asn1_err.c		patch \| blob \| blame \| history