kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix X509_parse_from_buffer when failing to parse.

Browse Source 
d2i_X509 will free an existing |X509*| on parse failure. Thus
|X509_parse_from_buffer| would double-free the result on error.

Change-Id: If2bca2f1e1895bc426079f6ade4b82008707888d
Reviewed-on: https://boringssl-review.googlesource.com/12635
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Adam Langley 2016-12-07 16:45:24 -08:00 committed by CQ bot account: commit-bot@chromium.org
parent 9d125dcdec
commit c8006be227
2 changed files with 48 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
crypto/x509/x509_test.cc
View File

@ -940,6 +940,50 @@ static bool TestFromBufferReused() {
return true;
}
static bool TestFailedParseFromBuffer() {
static const uint8_t kNonsense[] = {1, 2, 3, 4, 5};
bssl::UniquePtr<CRYPTO_BUFFER> buf(
CRYPTO_BUFFER_new(kNonsense, sizeof(kNonsense), nullptr));
if (!buf) {
return false;
}
bssl::UniquePtr<X509> cert(X509_parse_from_buffer(buf.get()));
if (cert) {
fprintf(stderr, "Nonsense somehow parsed.\n");
return false;
}
ERR_clear_error();
// Test a buffer with trailing data.
size_t data_len;
bssl::UniquePtr<uint8_t> data;
if (!PEMToDER(&data, &data_len, kRootCAPEM)) {
return false;
}
std::unique_ptr<uint8_t[]> data_with_trailing_byte(new uint8_t[data_len + 1]);
memcpy(data_with_trailing_byte.get(), data.get(), data_len);
data_with_trailing_byte[data_len] = 0;
bssl::UniquePtr<CRYPTO_BUFFER> buf_with_trailing_byte(
CRYPTO_BUFFER_new(data_with_trailing_byte.get(), data_len + 1, nullptr));
if (!buf_with_trailing_byte) {
return false;
}
bssl::UniquePtr<X509> root(
X509_parse_from_buffer(buf_with_trailing_byte.get()));
if (root) {
fprintf(stderr, "Parsed buffer with trailing byte.\n");
return false;
}
ERR_clear_error();
return true;
}
int main() {
CRYPTO_library_init();
@ -951,7 +995,8 @@ int main() {
!TestFromBuffer() ||
!TestFromBufferTrailingData() ||
!TestFromBufferModified() ||
!TestFromBufferReused()) {
!TestFromBufferReused() ||
!TestFailedParseFromBuffer()) {
return 1;
}

4
crypto/x509/x_x509.c
View File

@ -162,8 +162,8 @@ X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf) {
X509 *x509p = x509;
X509 *ret = d2i_X509(&x509p, &inp, CRYPTO_BUFFER_len(buf));
if (ret == NULL ||
(inp - CRYPTO_BUFFER_data(buf)) != (ptrdiff_t) CRYPTO_BUFFER_len(buf)) {
X509_free(x509);
inp - CRYPTO_BUFFER_data(buf) != (ptrdiff_t)CRYPTO_BUFFER_len(buf)) {
X509_free(x509p);
return NULL;
}
assert(x509p == x509);