kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Bound everything parsed by the legacy ASN.1 stack.

Browse Source 
crypto/asn1 routinely switches between int and long without overflow
checks. Fortunately, it funnels everything into a common entrypoint, so
we can uniformly bound all inputs to something which comfortably fits in
an int.

Change-Id: I340674c6b07820309dc5891024498878c82e225b
Reviewed-on: https://boringssl-review.googlesource.com/20366
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2017-09-15 18:33:30 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 288ca7dcb4
commit 82dfea8d9e
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
crypto/asn1/tasn_dec.c
View File

@ -56,6 +56,7 @@
#include <openssl/asn1.h>
#include <limits.h>
#include <string.h>
#include <openssl/asn1t.h>
@ -179,6 +180,14 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
else
asn1_cb = 0;
/*
* Bound |len| to comfortably fit in an int. Lengths in this module often
* switch between int and long without overflow checks.
*/
if (len > INT_MAX/2) {
len = INT_MAX/2;
}
switch (it->itype) {
case ASN1_ITYPE_PRIMITIVE:
if (it->templates) {