]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a62d247)
Ensure ASN1 types are checked before use.
authorBob Beck <beck@openssl.org>
Wed, 7 Jan 2026 18:29:48 +0000 (11:29 -0700)
committerNorbert Pocs <norbertp@openssl.org>
Tue, 13 Jan 2026 11:11:18 +0000 (12:11 +0100)
Some of these were fixed by LibreSSL in commit https://github.com/openbsd/src/commit/aa1f637d454961d22117b4353f98253e984b3ba8
this fix includes the other fixes in that commit, as well as fixes for others found by a scan
for a similar unvalidated access paradigm in the tree.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29582)

apps/s_client.c patch | blob | blame | history
crypto/pkcs12/p12_kiss.c patch | blob | blame | history
crypto/pkcs7/pk7_doit.c patch | blob | blame | history

diff --git a/apps/s_client.c b/apps/s_client.c
index 7b2cabdc428a9bb135d55db4c99ab9ec1b92ba2e..d0611433261dc29810cc1a0d8e6f952746a06e62 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2847,8 +2847,9 @@ re_start:
             goto end;
         }
         atyp = ASN1_generate_nconf(genstr, cnf);
-        if (atyp == NULL) {
+        if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
             NCONF_free(cnf);
+            ASN1_TYPE_free(atyp);
             BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
             goto end;
         }
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 10b581612dbb2d5c416b551b5aa314cd07c68a24..d0236e34fe9df2dad5432ab036597bdaa3129a12 100644 (file)
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
     ASN1_BMPSTRING *fname = NULL;
     ASN1_OCTET_STRING *lkid = NULL;
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
+        if (attrib->type != V_ASN1_BMPSTRING)
+            return 0;
         fname = attrib->value.bmpstring;
+    }
 
-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
+    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
+        if (attrib->type != V_ASN1_OCTET_STRING)
+            return 0;
         lkid = attrib->value.octet_string;
+    }
 
     switch (PKCS12_SAFEBAG_get_nid(bag)) {
     case NID_keyBag:
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index 02444d983c47645fe01c53ca87c95f2b646b17c2..7798846b16ec17c520f4ca5ae9672aecddf03ce2 100644 (file)
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1229,6 +1229,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
     ASN1_TYPE *astype;
     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
         return NULL;
+    if (astype->type != V_ASN1_OCTET_STRING)
+        return NULL;
     return astype->value.octet_string;
 }
 
Mirror of https://github.com/openssl/openssl.git