diff options
| author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2022-05-19 15:50:28 +0200 |
|---|---|---|
| committer | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2022-05-21 05:57:34 +0200 |
| commit | 17519e2595b5ed8211a7763ff6eb2d6cf47c13cb (patch) | |
| tree | 0211a7b3c64c7b007a03dbecf51c489967c06fd4 | |
| parent | 03ba56f1525c93eb3dfe72f85cdc698b97918e59 (diff) | |
Backport a missing bug-fix from master
This is a backport of the following commit from master:
commit 61b0fead5e6079ca826594df5b9ca00e65883cb0
Author: Matt Caswell <matt@openssl.org>
Date: Thu Nov 19 13:58:21 2020 +0000
Don't Overflow when printing Thawte Strong Extranet Version
When printing human readable info on the Thawte Strong Extranet extension
the version number could overflow if the version number == LONG_MAX. This
is undefined behaviour.
Issue found by OSSFuzz.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13452)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18347)
| -rw-r--r-- | crypto/x509v3/v3_sxnet.c | 18 | ||||
| -rw-r--r-- | fuzz/corpora/crl/4d72381f46c50eb9cabd8aa27f456962bf013b28 | bin | 0 -> 65 bytes |
2 files changed, 15 insertions, 3 deletions
diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c index 89cda01be2..0648553ae3 100644 --- a/crypto/x509v3/v3_sxnet.c +++ b/crypto/x509v3/v3_sxnet.c @@ -57,12 +57,24 @@ IMPLEMENT_ASN1_FUNCTIONS(SXNET) static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) { - long v; + int64_t v; char *tmp; SXNETID *id; int i; - v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); + + /* + * Since we add 1 to the version number to display it, we don't support + * LONG_MAX since that would cause on overflow. + */ + if (!ASN1_INTEGER_get_int64(&v, sx->version) + || v >= LONG_MAX + || v < LONG_MIN) { + BIO_printf(out, "%*sVersion: <unsupported>", indent, ""); + } else { + long vl = (long)v; + + BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", vl + 1, vl); + } for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { id = sk_SXNETID_value(sx->ids, i); tmp = i2s_ASN1_INTEGER(NULL, id->zone); diff --git a/fuzz/corpora/crl/4d72381f46c50eb9cabd8aa27f456962bf013b28 b/fuzz/corpora/crl/4d72381f46c50eb9cabd8aa27f456962bf013b28 Binary files differnew file mode 100644 index 0000000000..dde1c66748 --- /dev/null +++ b/fuzz/corpora/crl/4d72381f46c50eb9cabd8aa27f456962bf013b28 |