Limit reads in do_b2i_bio()

Apply a limit to the maximum blob length which can be read in do_d2i_bio() to avoid excessive allocation. Thanks to Shi Lei for reporting this. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2016-08-15 16:52:21 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2016-08-16 00:27:10 +0100
commit: 66bcba145740e4f1210499ba6e5033035a2a4647 (patch)
tree: 928a295acb74b39823d9aa8fa77b305943cbc338
parent: 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa (diff)
download: openssl-66bcba145740e4f1210499ba6e5033035a2a4647.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index 3a27f2d7fc..416bfc2a47 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -66,6 +66,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
 # define MS_KEYTYPE_KEYX         0x1
 # define MS_KEYTYPE_SIGN         0x2
 
+/* Maximum length of a blob after header */
+# define BLOB_MAX_LENGTH          102400
+
 /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
 # define MS_PVKMAGIC             0xb0b5f11eL
 /* Salt length for PVK files */
@@ -211,6 +214,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub)
         return NULL;
 
     length = blob_length(bitlen, isdss, ispub);
+    if (length > BLOB_MAX_LENGTH) {
+        PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG);
+        return NULL;
+    }
     buf = OPENSSL_malloc(length);
     if (buf == NULL) {
         PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE);
author	Dr. Stephen Henson <steve@openssl.org>	2016-08-15 16:52:21 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2016-08-16 00:27:10 +0100
commit	66bcba145740e4f1210499ba6e5033035a2a4647 (patch)
tree	928a295acb74b39823d9aa8fa77b305943cbc338
parent	8b9afbc0fc7f8be0049d389d34d9416fa377e2aa (diff)
download	openssl-66bcba145740e4f1210499ba6e5033035a2a4647.tar.gz