Return error when a bit string indicates an invalid amount of bits left

Reviewed-by: Matt Caswell <matt@openssl.org>
author: Kurt Roeckx <kurt@roeckx.be> 2014-12-15 17:15:16 +0100
committer: Kurt Roeckx <kurt@roeckx.be> 2014-12-18 15:03:52 +0100
commit: 5a1e8c67a90aead86ccc2dda324e8f897d1a044d (patch)
tree: bdb9a1a1812cf0a122c68dd0d316e3d2b03ef2b8 /crypto/asn1/a_bitstr.c
parent: 040b60f6fa50de325ecace8a6a06e02485942d94 (diff)
download: openssl-5a1e8c67a90aead86ccc2dda324e8f897d1a044d.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index 0cb899f058..4ca4a5638e 100644
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
author	Kurt Roeckx <kurt@roeckx.be>	2014-12-15 17:15:16 +0100
committer	Kurt Roeckx <kurt@roeckx.be>	2014-12-18 15:03:52 +0100
commit	5a1e8c67a90aead86ccc2dda324e8f897d1a044d (patch)
tree	bdb9a1a1812cf0a122c68dd0d316e3d2b03ef2b8 /crypto/asn1/a_bitstr.c
parent	040b60f6fa50de325ecace8a6a06e02485942d94 (diff)
download	openssl-5a1e8c67a90aead86ccc2dda324e8f897d1a044d.tar.gz