diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2017-04-28 11:33:48 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-04-28 11:33:48 +0900 |
commit | 4620f08020d02ca0e4662176f576ff9468287fca (patch) | |
tree | 1e665c10a93bbdb481f461257257773d5c6193fc | |
parent | f2150cd74f45d49545d0787725f99723642b7c2c (diff) | |
download | openssl-4620f08020d02ca0e4662176f576ff9468287fca.tar.gz |
Fix special case in BER decoding of negative integertopic/fix-asn1-integer-decode
Leading 0xFF byte cannot be treated as a padding if all the following
bytes are 0x00. Restore a branch removed by a3ea6bf0ef70 ("asn1/a_int.c:
remove code duplicate and optimize branches,", 2017-04-11).
-rw-r--r-- | crypto/asn1/a_int.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index e154343925..6c8046c410 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -149,6 +149,8 @@ static size_t c2i_ibuf(unsigned char *b, int *pneg, const unsigned char *p, size_t plen) { int neg, pad; + size_t i; + /* Zero content length is illegal */ if (plen == 0) { ASN1err(ASN1_F_C2I_IBUF, ASN1_R_ILLEGAL_ZERO_CONTENT); @@ -167,6 +169,22 @@ static size_t c2i_ibuf(unsigned char *b, int *pneg, } return 1; } + /* leading 0xFF is not a padding if all the following bytes are zero */ + if (p[0] == 0xFF) { + /* check is any following octets are non zero */ + for (i = 1; i < plen; i++) { + if (p[i] != 0) + break; + } + /* if all bytes are zero handle as special case */ + if (i == plen) { + if (b != NULL) { + b[0] = 1; + memset(b + 1, 0, plen - 1); + } + return plen; + } + } if (p[0] == 0 || p[0] == 0xFF) pad = 1; else |