[openssl-commits] [openssl] master update

Dr . Stephen Henson Mon, 15 Aug 2016 16:20:46 -0700

The branch master has been updated
       via  8b9afbc0fc7f8be0049d389d34d9416fa377e2aa (commit)
       via  07bed46f332fce8c1d157689a2cdf915a982ae34 (commit)
      from  40c60b0d7389aa479cf7474a080737e901944d0d (commit)



- Log -----------------------------------------------------------------
commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Aug 5 14:33:03 2016 +0100

    Check for errors in a2d_ASN1_OBJECT()
    
    Check for error return in BN_div_word().
    
    Reviewed-by: Tim Hudson <t...@openssl.org>

commit 07bed46f332fce8c1d157689a2cdf915a982ae34
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Aug 5 14:26:03 2016 +0100

    Check for errors in BN_bn2dec()
    
    If an oversize BIGNUM is presented to BN_bn2dec() it can cause
    BN_div_word() to fail and not reduce the value of 't' resulting
    in OOB writes to the bn_data buffer and eventually crashing.
    
    Fix by checking return value of BN_div_word() and checking writes
    don't overflow buffer.
    
    Thanks to Shi Lei for reporting this bug.
    
    CVE-2016-2182
    
    Reviewed-by: Tim Hudson <t...@openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_object.c | 8 ++++++--
 crypto/bn/bn_print.c   | 8 +++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index 6fc7681..79f0ecd 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -127,8 +127,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const 
char *buf, int num)
                 if (tmp == NULL)
                     goto err;
             }
-            while (blsize--)
-                tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+            while (blsize--) {
+                BN_ULONG t = BN_div_word(bl, 0x80L);
+                if (t == (BN_ULONG)-1)
+                    goto err;
+                tmp[i++] = (unsigned char)t;
+            }
         } else {
 
             for (;;) {
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index 8672c7e..f6030ff 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -62,6 +62,7 @@ char *BN_bn2dec(const BIGNUM *a)
     char *p;
     BIGNUM *t = NULL;
     BN_ULONG *bn_data = NULL, *lp;
+    int bn_data_num;
 
     /*-
      * get an upper bound for the length of the decimal integer
@@ -71,7 +72,8 @@ char *BN_bn2dec(const BIGNUM *a)
      */
     i = BN_num_bits(a) * 3;
     num = (i / 10 + i / 1000 + 1) + 1;
-    bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+    bn_data_num = num / BN_DEC_NUM + 1;
+    bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
     buf = OPENSSL_malloc(num + 3);
     if ((buf == NULL) || (bn_data == NULL)) {
         BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
@@ -93,7 +95,11 @@ char *BN_bn2dec(const BIGNUM *a)
         i = 0;
         while (!BN_is_zero(t)) {
             *lp = BN_div_word(t, BN_DEC_CONV);
+            if (*lp == (BN_ULONG)-1)
+                goto err;
             lp++;
+            if (lp - bn_data >= bn_data_num)
+                goto err;
         }
         lp--;
         /*
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

Reply via email to