From: Matt Caswell <matt@openssl.org>
Date: Thu, 19 Aug 2021 11:24:17 +0000 (+0100)
Subject: Fix EC_GROUP_new_from_ecparameters to check the base length
X-Git-Tag: OpenSSL_1_1_1l~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11;p=thirdparty%2Fopenssl.git

Fix EC_GROUP_new_from_ecparameters to check the base length

Check that there's at least one byte in params->base before trying to
read it.

CVE-2021-3712

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
---

diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 7b7c75ce844..e497a259095 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -761,7 +761,10 @@ EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
         ret->seed_len = params->curve->seed->length;
     }
 
-    if (!params->order || !params->base || !params->base->data) {
+    if (params->order == NULL
+            || params->base == NULL
+            || params->base->data == NULL
+            || params->base->length == 0) {
         ECerr(EC_F_EC_GROUP_NEW_FROM_ECPARAMETERS, EC_R_ASN1_ERROR);
         goto err;
     }