diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-04-19 16:19:56 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-04-19 16:19:56 +0000 |
commit | d9a9d10f4f8d4ed051f2488a90b012dceb7ec885 (patch) | |
tree | dabb138053661e7c2c25d1d5bef7221ef0d5ab04 /crypto/mem.c | |
parent | 0d2baadfb4dbd36fa323f3ae57ad309744713572 (diff) |
Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
Diffstat (limited to 'crypto/mem.c')
-rw-r--r-- | crypto/mem.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/mem.c b/crypto/mem.c index 73d68b5f0b..b40a94ce1c 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -364,6 +364,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, if (num <= 0) return NULL; + /* We don't support shrinking the buffer. Note the memcpy that copies + * |old_len| bytes to the new buffer, below. */ + if (num < old_len) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); |