diff options
| author | Kurt Roeckx <kurt@roeckx.be> | 2014-12-15 17:15:16 +0100 |
|---|---|---|
| committer | Kurt Roeckx <kurt@roeckx.be> | 2014-12-18 15:03:52 +0100 |
| commit | 5a1e8c67a90aead86ccc2dda324e8f897d1a044d (patch) | |
| tree | bdb9a1a1812cf0a122c68dd0d316e3d2b03ef2b8 | |
| parent | 040b60f6fa50de325ecace8a6a06e02485942d94 (diff) | |
| download | openssl-5a1e8c67a90aead86ccc2dda324e8f897d1a044d.tar.gz | |
Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
| -rw-r--r-- | crypto/asn1/a_bitstr.c | 7 | ||||
| -rw-r--r-- | crypto/asn1/asn1.h | 1 | ||||
| -rw-r--r-- | crypto/asn1/asn1_err.c | 1 |
3 files changed, 8 insertions, 1 deletions
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 0cb899f058..4ca4a5638e 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, p= *pp; i= *(p++); + if (i > 7) + { + i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT; + goto err; + } /* We do this to preserve the settings. If we modify * the settings, via the _set_bit function, we will recalculate * on output */ ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ - ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ + ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */ if (len-- > 1) /* using one because of the bits left byte */ { diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index ed1a28a084..37adcb312a 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -1350,6 +1350,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_ILLEGAL_TIME_VALUE 184 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 +#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 #define ASN1_R_INVALID_DIGIT 130 #define ASN1_R_INVALID_MIME_TYPE 205 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 0217049b5c..6eb47f79d3 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -249,6 +249,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"}, {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"}, {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, +{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"}, {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"}, |