X509_parse_from_buffer: reject massive certificates.

Otherwise we could pass a negative value into |d2i_X509|. Change-Id: I52a35dd9648269094110b69eddd7667a56ec8253 Reviewed-on: https://boringssl-review.googlesource.com/13363 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
2017-01-24 16:06:20 -08:00 · 2017-01-24 16:06:20 -08:00 · 3b3b62f39c
commit 3b3b62f39c
parent 3a2b47ab5b
1 changed files with 6 additions and 0 deletions
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@ -56,6 +56,7 @@
 * [including the GNU Public Licence.] */

 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>

 #include <openssl/asn1t.h>
@ -151,6 +152,11 @@ IMPLEMENT_ASN1_FUNCTIONS(X509)
 IMPLEMENT_ASN1_DUP_FUNCTION(X509)

 X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf) {
+  if (CRYPTO_BUFFER_len(buf) > LONG_MAX) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
+    return 0;
+  }
+
  X509 *x509 = X509_new();
  if (x509 == NULL) {
    return NULL;