From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 24 May 2021 16:47:45 +0000 (+0200)
Subject: Fix possible infinite loop in pem_read_bio_key_decoder()
X-Git-Tag: openssl-3.0.0-beta1~377
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07f65429c34cb581484371f7d45cb83815f95484;p=thirdparty%2Fopenssl.git

Fix possible infinite loop in pem_read_bio_key_decoder()

There could be an infinite loop if no read happened.

Fixes #15426

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15441)
---

diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c
index adbf8bcfe70..becf7e277cf 100644
--- a/crypto/pem/pem_pkey.c
+++ b/crypto/pem/pem_pkey.c
@@ -36,6 +36,11 @@ static EVP_PKEY *pem_read_bio_key_decoder(BIO *bp, EVP_PKEY **x,
 {
     EVP_PKEY *pkey = NULL;
     OSSL_DECODER_CTX *dctx = NULL;
+    int pos, newpos;
+
+    if ((pos = BIO_tell(bp)) < 0)
+        /* We can depend on BIO_tell() thanks to the BIO_f_readbuffer() */
+        return NULL;
 
     dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", NULL, NULL,
                                          selection, libctx, propq);
@@ -50,8 +55,10 @@ static EVP_PKEY *pem_read_bio_key_decoder(BIO *bp, EVP_PKEY **x,
         goto err;
 
     while (!OSSL_DECODER_from_bio(dctx, bp) || pkey == NULL)
-        if (BIO_eof(bp) != 0)
+        if (BIO_eof(bp) != 0 || (newpos = BIO_tell(bp)) < 0 || newpos <= pos)
             goto err;
+        else
+            pos = newpos;
 
     if (!evp_keymgmt_util_has(pkey, selection)) {
         EVP_PKEY_free(pkey);