From 7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Thu, 19 Mar 2015 15:03:10 -0400 Subject: [PATCH] Fix ASN1_TYPE_cmp Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 (Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.) Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45 Reviewed-on: https://boringssl-review.googlesource.com/4048 Reviewed-by: Adam Langley --- crypto/asn1/a_type.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 75a17d5c..fd3d5b11 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -125,6 +125,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) case V_ASN1_NULL: result = 0; /* They do not have content. */ break; + case V_ASN1_BOOLEAN: + result = a->value.boolean - b->value.boolean; + break; case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: