Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check bounds before doing so. Previously, excessively large inputs to the function could write a single byte outside the target buffer. (This is unreachable as asn1_ex_c2i already uses int for the length.) Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4385) (cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)
author: David Benjamin <davidben@google.com> 2017-09-18 15:58:41 -0400
committer: Andy Polyakov <appro@openssl.org> 2017-09-19 21:32:58 +0200
commit: 22e311ce2e0d9ac0e1cac60a3ac30fc48cedf1de (patch)
tree: e185ddc08674515a64358fa03b49d24267e0393a /crypto/asn1
parent: de6db95d7bc9a0f8993d4e125028a02a7ec46e96 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 33be907f9d..b2e0fb6882 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1.h>
@@ -88,6 +89,11 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
         goto err;
     }
 
+    if (len > INT_MAX) {
+        i = ASN1_R_STRING_TOO_LONG;
+        goto err;
+    }
+
     if ((a == NULL) || ((*a) == NULL)) {
         if ((ret = ASN1_BIT_STRING_new()) == NULL)
             return (NULL);
author	David Benjamin <davidben@google.com>	2017-09-18 15:58:41 -0400
committer	Andy Polyakov <appro@openssl.org>	2017-09-19 21:32:58 +0200
commit	22e311ce2e0d9ac0e1cac60a3ac30fc48cedf1de (patch)
tree	e185ddc08674515a64358fa03b49d24267e0393a /crypto/asn1
parent	de6db95d7bc9a0f8993d4e125028a02a7ec46e96 (diff)