Update from stable branch.

This commit is contained in:
Dr. Stephen Henson 2009-03-25 12:53:50 +00:00
parent 7ce8c95d58
commit 80b2ff978d
3 changed files with 19 additions and 0 deletions

View File

@ -751,6 +751,11 @@
Changes between 0.9.8j and 0.9.8k [xx XXX xxxx] Changes between 0.9.8j and 0.9.8k [xx XXX xxxx]
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
[Ivan Nestlerode <inestlerode@us.ibm.com>]
*) Reject UniversalString and BMPString types with invalid lengths. This *) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590) a legal length. (CVE-2009-0590)

View File

@ -199,6 +199,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@ -290,6 +291,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},

View File

@ -1016,6 +1016,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
case V_ASN1_SET: case V_ASN1_SET:
case V_ASN1_SEQUENCE: case V_ASN1_SEQUENCE:
default: default:
if (utype == V_ASN1_BMPSTRING && (len & 1))
{
ASN1err(ASN1_F_ASN1_EX_C2I,
ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
goto err;
}
if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
{
ASN1err(ASN1_F_ASN1_EX_C2I,
ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
goto err;
}
/* All based on ASN1_STRING and handled the same */ /* All based on ASN1_STRING and handled the same */
if (!*pval) if (!*pval)
{ {