diff options
author | Richard Levitte <levitte@openssl.org> | 2017-03-31 21:31:43 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2017-04-04 11:16:47 +0200 |
commit | 4b3a20dc7e66c6c0683a7a1b6521dbc5d287ac1b (patch) | |
tree | ffd6191903ad2e28b3bb63a2505f4cd908046899 /crypto/asn1 | |
parent | 8b6277538350008a19f8015895972a5edf13da11 (diff) |
Fix faulty check of padding in x_long.c
Bug uncovered by test
[extended tests]
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3120)
Diffstat (limited to 'crypto/asn1')
-rw-r--r-- | crypto/asn1/x_long.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index 615d24df08..a7b90231c0 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -110,7 +110,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, unsigned long utmp = 0; char *cp = (char *)pval; - if (len) { + if (len > 1) { /* * Check possible pad byte. Worst case, we're skipping past actual * content, but since that's only with 0x00 and 0xff and we set neg @@ -120,7 +120,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case 0xff: cont++; len--; - neg = 1; + neg = 0x80; break; case 0: cont++; @@ -139,6 +139,9 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, neg = 1; else neg = 0; + } else if (neg == (cont[0] & 0x80)) { + ASN1err(ASN1_F_LONG_C2I, ASN1_R_ILLEGAL_PADDING); + return 0; } utmp = 0; for (i = 0; i < len; i++) { |