The i2d_X509() function can return a negative value on error. Therefore
we should make sure we check it.
Issue reported by Yuan Jochen Kang.
(Imported from upstream's 8f43c80bfa
)
Change-Id: If247d5bf1d792eb7c6dc179b606ed21ea0ccdbb8
Reviewed-on: https://boringssl-review.googlesource.com/7743
Reviewed-by: David Benjamin <davidben@google.com>
kris/onging/CECPQ3_patch15
@@ -206,10 +206,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) | |||||
int i2d_X509_AUX(X509 *a, unsigned char **pp) | int i2d_X509_AUX(X509 *a, unsigned char **pp) | ||||
{ | { | ||||
int length; | |||||
int length, tmplen; | |||||
unsigned char *start = *pp; | |||||
length = i2d_X509(a, pp); | length = i2d_X509(a, pp); | ||||
if (a) | |||||
length += i2d_X509_CERT_AUX(a->aux, pp); | |||||
if (length < 0 || a == NULL) { | |||||
return length; | |||||
} | |||||
tmplen = i2d_X509_CERT_AUX(a->aux, pp); | |||||
if (tmplen < 0) { | |||||
*pp = start; | |||||
return tmplen; | |||||
} | |||||
length += tmplen; | |||||
return length; | return length; | ||||
} | } | ||||
@@ -422,13 +422,18 @@ static int ssl_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) { | |||||
uint8_t *p; | uint8_t *p; | ||||
n = i2d_X509(x, NULL); | n = i2d_X509(x, NULL); | ||||
if (!BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { | |||||
if (n < 0 || !BUF_MEM_grow_clean(buf, (int)(n + (*l) + 3))) { | |||||
OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); | OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); | ||||
return 0; | return 0; | ||||
} | } | ||||
p = (uint8_t *)&(buf->data[*l]); | p = (uint8_t *)&(buf->data[*l]); | ||||
l2n3(n, p); | l2n3(n, p); | ||||
i2d_X509(x, &p); | |||||
n = i2d_X509(x, &p); | |||||
if (n < 0) { | |||||
/* This shouldn't happen. */ | |||||
OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB); | |||||
return 0; | |||||
} | |||||
*l += n + 3; | *l += n + 3; | ||||
return 1; | return 1; | ||||