Check for potentially exploitable overflows in asn1_d2i_read_bio

BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean. Thanks to Tavis Ormandy, Google Security Team, for discovering this issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
author: Dr. Stephen Henson <steve@openssl.org> 2012-04-19 12:13:59 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-04-19 12:13:59 +0000
commit: 8d5505d099973a06781b7e0e5b65861859a7d994 (patch)
tree: 58ae378a68521b231c4195d734f5cefe49785da5 /crypto/mem.c
parent: d36e0ee460f41d6b64015455c4f5414a319865c3 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/crypto/mem.c b/crypto/mem.c
index 8f736c3b1f..21c0011380 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -363,6 +363,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
 
 	if (num <= 0) return NULL;
 
+	/* We don't support shrinking the buffer. Note the memcpy that copies
+	 * |old_len| bytes to the new buffer, below. */
+	if (num < old_len) return NULL;
+
 	if (realloc_debug_func != NULL)
 		realloc_debug_func(str, NULL, num, file, line, 0);
 	ret=malloc_ex_func(num,file,line);
author	Dr. Stephen Henson <steve@openssl.org>	2012-04-19 12:13:59 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-04-19 12:13:59 +0000
commit	8d5505d099973a06781b7e0e5b65861859a7d994 (patch)
tree	58ae378a68521b231c4195d734f5cefe49785da5 /crypto/mem.c
parent	d36e0ee460f41d6b64015455c4f5414a319865c3 (diff)