The branch OpenSSL_1_0_2-stable has been updated
via e36f27ddb80a48e579783bc29fb3758988342b71 (commit)
via d871284aca5524c85a6460119ac1b1e38f7e19c6 (commit)
from 657566ead90132f68aa2c9a407c9d3920476446c (commit)
- Log -----------------------------------------------------------------
commit e36f27ddb80a48e579783bc29fb3758988342b71
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Fri Aug 5 14:26:03 2016 +0100
Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Thanks to Shi Lei for reporting this bug.
CVE-2016-2182
Reviewed-by: Tim Hudson <t...@openssl.org>
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)
Conflicts:
crypto/bn/bn_print.c
commit d871284aca5524c85a6460119ac1b1e38f7e19c6
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Fri Aug 5 14:33:03 2016 +0100
Check for errors in a2d_ASN1_OBJECT()
Check for error return in BN_div_word().
Reviewed-by: Tim Hudson <t...@openssl.org>
(cherry picked from commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_object.c | 8 ++++++--
crypto/bn/bn_print.c | 11 ++++++++---
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index fba9f66..229a40f 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -174,8 +174,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const
char *buf, int num)
if (!tmp)
goto err;
}
- while (blsize--)
- tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L);
+ while (blsize--) {
+ BN_ULONG t = BN_div_word(bl, 0x80L);
+ if (t == (BN_ULONG)-1)
+ goto err;
+ tmp[i++] = (unsigned char)t;
+ }
} else {
for (;;) {
diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c
index bfa31ef..b44403e 100644
--- a/crypto/bn/bn_print.c
+++ b/crypto/bn/bn_print.c
@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
char *p;
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
+ int bn_data_num;
/*-
* get an upper bound for the length of the decimal integer
@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
- bn_data =
- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
- buf = (char *)OPENSSL_malloc(num + 3);
+ bn_data_num = num / BN_DEC_NUM + 1;
+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
+ buf = OPENSSL_malloc(num + 3);
if ((buf == NULL) || (bn_data == NULL)) {
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
goto err;
@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a)
i = 0;
while (!BN_is_zero(t)) {
*lp = BN_div_word(t, BN_DEC_CONV);
+ if (*lp == (BN_ULONG)-1)
+ goto err;
lp++;
+ if (lp - bn_data >= bn_data_num)
+ goto err;
}
lp--;
/*
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
