mirror of
https://github.com/openssl/openssl.git
synced 2025-04-06 20:20:50 +08:00
Bugfix: in asn1parse avoid erroneous len after a sub-sequence
Introduced in:
commit 79c7f74d6cefd5d32fa20e69195ad3de834ce065
Author: Ben Laurie <ben@links.org>
Date: Tue Mar 29 19:37:57 2016 +0100
Fix buffer overrun in ASN1_parse().
Problem input:
https://tools.ietf.org/html/draft-ietf-curdle-pkix-eddsa-00#section-8.1
-----BEGIN PUBLIC KEY-----
MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
-----END PUBLIC KEY-----
Previously:
0:d=0 hl=2 l= 45 cons: SEQUENCE
2:d=1 hl=2 l= 8 cons: SEQUENCE
4:d=2 hl=2 l= 3 prim: OBJECT :1.3.101.100
9:d=2 hl=2 l= 1 prim: ENUMERATED :02
Error in encoding
140735164989440:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../openssl/crypto/asn1/asn1_lib.c:148:
Now:
0:d=0 hl=2 l= 45 cons: SEQUENCE
2:d=1 hl=2 l= 8 cons: SEQUENCE
4:d=2 hl=2 l= 3 prim: OBJECT :1.3.101.100
9:d=2 hl=2 l= 1 prim: ENUMERATED :02
12:d=1 hl=2 l= 33 prim: BIT STRING
0000 - 00 19 bf 44 09 69 84 cd-fe 85 41 ba c1 67 dc 3b ...D.i....A..g.;
0010 - 96 c8 50 86 aa 30 b6 b6-cb 0c 5c 38 ad 70 31 66 ..P..0....\8.p1f
0020 - e1 .
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Viktor Dukhovni
parent
5968d11a7a
commit
bdcd660e33
@ -189,18 +189,19 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
|
||||
}
|
||||
}
|
||||
} else {
|
||||
long tmp = len;
|
||||
|
||||
while (p < ep) {
|
||||
sp = p;
|
||||
r = asn1_parse2(bp, &p, len,
|
||||
r = asn1_parse2(bp, &p, tmp,
|
||||
offset + (p - *pp), depth + 1,
|
||||
indent, dump);
|
||||
if (r == 0) {
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
len -= p - sp;
|
||||
tmp -= p - sp;
|
||||
}
|
||||
len = length;
|
||||
}
|
||||
} else if (xclass != 0) {
|
||||
p += len;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user