kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

bytestring: fix ASN.1 data longer than 127 bytes.

Browse Source 
When shifting data because extra ASN.1 length bytes were needed, the
data was moved from the start of the ASN.1 length, not the start of the
ASN.1 data.

Change-Id: Ib13d5e4e878774df2af0505c0297eff6cf781728
Reviewed-on: https://boringssl-review.googlesource.com/1430
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
This commit is contained in:
Adam Langley 2014-08-06 16:01:44 -07:00 committed by Adam Langley
parent 4518d39205
commit 8e89e64554
2 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
crypto/bytestring/bytestring_test.c
View File

@ -346,7 +346,8 @@ static int test_cbb_asn1() {
}
free(buf);
test_data = calloc(1, 100000);
test_data = malloc(100000);
memset(test_data, 0x42, 100000);
if (!CBB_init(&cbb, 0) ||
!CBB_add_asn1(&cbb, &contents, 0x30) ||
@ -355,7 +356,9 @@ static int test_cbb_asn1() {
return 0;
}
if (buf_len != 3 + 130 || memcmp(buf, "\x30\x81\x82", 3) != 0) {
if (buf_len != 3 + 130 ||
memcmp(buf, "\x30\x81\x82", 3) != 0 ||
memcmp(buf + 3, test_data, 130) != 0) {
return 0;
}
free(buf);
@ -367,7 +370,9 @@ static int test_cbb_asn1() {
return 0;
}
if (buf_len != 4 + 1000 || memcmp(buf, "\x30\x82\x03\xe8", 4) != 0) {
if (buf_len != 4 + 1000 ||
memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 ||
memcmp(buf + 4, test_data, 1000)) {
return 0;
}
free(buf);
@ -381,7 +386,8 @@ static int test_cbb_asn1() {
}
if (buf_len != 5 + 5 + 100000 ||
memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0) {
memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0 ||
memcmp(buf + 10, test_data, 100000)) {
return 0;
}
free(buf);

8
crypto/bytestring/cbb.c
View File

@ -14,6 +14,8 @@
#include <openssl/bytestring.h>
#include <assert.h>
#include <openssl/mem.h>
@ -174,6 +176,8 @@ int CBB_flush(CBB *cbb) {
size_t len_len;
uint8_t initial_length_byte;
assert (cbb->pending_len_len == 1);
if (len > 0xfffffffe) {
/* Too large. */
return 0;
@ -201,8 +205,8 @@ int CBB_flush(CBB *cbb) {
if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
return 0;
}
memmove(cbb->base->buf + cbb->offset + extra_bytes,
cbb->base->buf + cbb->offset, len);
memmove(cbb->base->buf + child_start + extra_bytes,
cbb->base->buf + child_start, len);
}
cbb->base->buf[cbb->offset++] = initial_length_byte;
cbb->pending_len_len = len_len - 1;