Harden the lower level parts of crypto/asn1 against overflows.

The legacy ASN.1 stack contains an unsalvageable mix of integer types. 82dfea8d9e bounded all inputs to the template machinery, but sometimes code will call ASN1_get_object directly, such as the just deleted d2i_ASN1_UINTEGER. Thanks to mlbrown for reporting the d2i_ASN1_UINTEGER overflow. Bug: chromium:942269 Change-Id: I2d4c8b7faf5dadd1b68dbdb51a5feae071ea2cb6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35325 Reviewed-by: Adam Langley <agl@google.com>
2019-03-14 18:31:16 -05:00 · 2019-03-14 18:31:16 -05:00 · 0dcab9302f
commit 0dcab9302f
parent bab14fa753
1 changed files with 5 additions and 1 deletions
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@ -205,7 +205,11 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
        } else
            ret = i;
    }
-    if (ret > LONG_MAX)
+    /*
+     * Bound the length to comfortably fit in an int. Lengths in this module
+     * often switch between int and long without overflow checks.
+     */
+    if (ret > INT_MAX / 2)
        return 0;
    *pp = p;
    *rl = (long)ret;