diff options
author | Richard Levitte <levitte@openssl.org> | 2002-08-08 20:11:31 +0000 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2002-08-08 20:11:31 +0000 |
commit | bfce617770d1a4b1e3942842a1da828c46a1c8ab (patch) | |
tree | 1dafeb19266703fe7e41f446d9aec2291993b2f7 | |
parent | 1ce60f02d398b6f13b72c07daf0edc36a87eb6cf (diff) |
Recent changes.
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | crypto/asn1/asn1_lib.c | 9 |
2 files changed, 11 insertions, 4 deletions
@@ -4,6 +4,12 @@ Changes between 0.9.6e and 0.9.6f [XX xxx XXXX] + *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX + and get fix the header length calculation. + [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, + Alon Kantor <alonk@checkpoint.com> (and others), + Steve Henson] + *) Use proper error handling instead of 'assertions' in buffer overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 1fe3fbc1fa..e4a56a926a 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/asn1_mac.h> @@ -124,7 +125,7 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, (int)(omax+ *pp)); #endif - if (*plength > (omax - (*pp - p))) + if (*plength > (omax - (p - *pp))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough @@ -141,7 +142,7 @@ err: static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) { unsigned char *p= *pp; - long ret=0; + unsigned long ret=0; int i; if (max-- < 1) return(0); @@ -170,10 +171,10 @@ static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) else ret=i; } - if (ret < 0) + if (ret > LONG_MAX) return 0; *pp=p; - *rl=ret; + *rl=(long)ret; return(1); } |