From 958aaf1ea1b481e8ef32970d5b0add80504be4b2 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 16 Aug 2016 02:01:54 -0400 Subject: [PATCH] Check for errors in BN_bn2dec() If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Fix by checking return value of BN_div_word() and checking writes don't overflow buffer. Thanks to Shi Lei for reporting this bug. CVE-2016-2182 (Imported from upstream's e36f27ddb80a48e579783bc29fb3758988342b71.) Change-Id: Ib9078921b4460952c4aa5a6b03ec39a03704bb90 Reviewed-on: https://boringssl-review.googlesource.com/10367 CQ-Verified: CQ bot account: commit-bot@chromium.org Commit-Queue: David Benjamin Commit-Queue: Adam Langley Reviewed-by: Adam Langley --- crypto/bn/convert.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/crypto/bn/convert.c b/crypto/bn/convert.c index 1392a705..38648c66 100644 --- a/crypto/bn/convert.c +++ b/crypto/bn/convert.c @@ -375,6 +375,7 @@ char *BN_bn2dec(const BIGNUM *a) { char *p; BIGNUM *t = NULL; BN_ULONG *bn_data = NULL, *lp; + int bn_data_num; /* get an upper bound for the length of the decimal integer * num <= (BN_num_bits(a) + 1) * log(2) @@ -383,7 +384,8 @@ char *BN_bn2dec(const BIGNUM *a) { */ i = BN_num_bits(a) * 3; num = i / 10 + i / 1000 + 1 + 1; - bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); + bn_data_num = num / BN_DEC_NUM + 1; + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); buf = OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE); @@ -408,7 +410,13 @@ char *BN_bn2dec(const BIGNUM *a) { } else { while (!BN_is_zero(t)) { *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) { + goto err; + } lp++; + if (lp - bn_data >= bn_data_num) { + goto err; + } } lp--; /* We now have a series of blocks, BN_DEC_NUM chars