From: Pauli Date: Sun, 4 Apr 2021 03:52:06 +0000 (+1000) Subject: Check for integer overflow in i2a_ASN1_OBJECT and error out if found. X-Git-Tag: openssl-3.0.0-alpha14~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=080669804799b2fef788029555ac7b26f3e67881;p=thirdparty%2Fopenssl.git Check for integer overflow in i2a_ASN1_OBJECT and error out if found. Problem reported by Scott McPeak Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14768) --- diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 6967ab44e89..9d8f48b73cd 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -190,6 +190,10 @@ int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) return BIO_write(bp, "NULL", 4); i = i2t_ASN1_OBJECT(buf, sizeof(buf), a); if (i > (int)(sizeof(buf) - 1)) { + if (i > INT_MAX - 1) { /* catch an integer overflow */ + ERR_raise(ERR_LIB_ASN1, ASN1_R_LENGTH_TOO_LONG); + return -1; + } if ((p = OPENSSL_malloc(i + 1)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return -1; @@ -349,9 +353,11 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a) if (a == NULL) return; if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) { -#ifndef CONST_STRICT /* disable purely for compile-time strict - * const checking. Doing this on a "real" - * compile will cause memory leaks */ +#ifndef CONST_STRICT + /* + * Disable purely for compile-time strict const checking. Doing this + * on a "real" compile will cause memory leaks + */ OPENSSL_free((void*)a->sn); OPENSSL_free((void*)a->ln); #endif diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 8957519cb26..af706e638eb 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -109,6 +109,7 @@ static const ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING), "invalid utf8string"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_VALUE), "invalid value"}, + {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_TOO_LONG), "length too long"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "list error"}, {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE), "mime no content type"}, diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index aed5b72cff5..07439f7c4ae 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -66,6 +66,7 @@ ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length ASN1_R_INVALID_UTF8STRING:134:invalid utf8string ASN1_R_INVALID_VALUE:219:invalid value +ASN1_R_LENGTH_TOO_LONG:231:length too long ASN1_R_LIST_ERROR:188:list error ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type ASN1_R_MIME_PARSE_ERROR:207:mime parse error diff --git a/include/crypto/asn1err.h b/include/crypto/asn1err.h index 21800a0ac34..9b623555f83 100644 --- a/include/crypto/asn1err.h +++ b/include/crypto/asn1err.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/asn1err.h b/include/openssl/asn1err.h index 1a20fe82c26..d4276220cbb 100644 --- a/include/openssl/asn1err.h +++ b/include/openssl/asn1err.h @@ -81,6 +81,7 @@ # define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 133 # define ASN1_R_INVALID_UTF8STRING 134 # define ASN1_R_INVALID_VALUE 219 +# define ASN1_R_LENGTH_TOO_LONG 231 # define ASN1_R_LIST_ERROR 188 # define ASN1_R_MIME_NO_CONTENT_TYPE 206 # define ASN1_R_MIME_PARSE_ERROR 207