diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2016-04-15 02:37:09 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-05-03 13:05:34 +0100 |
| commit | d4b25980020821d4685752ecb9105c0902109ab5 (patch) | |
| tree | 3aef8e6d43af44784007d8b85e3bd1f0319eae6e /crypto/asn1/tasn_dec.c | |
| parent | 68595c0c2886e7942a14f98c17a55a88afb6c292 (diff) | |
| download | openssl-d4b25980020821d4685752ecb9105c0902109ab5.tar.gz | |
Fix ASN1_INTEGER handling.
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.
Thanks to David Benjamin <davidben@google.com> for reporting this bug.
This was found using libFuzzer.
RT#4364 (part)CVE-2016-2108.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'crypto/asn1/tasn_dec.c')
| -rw-r--r-- | crypto/asn1/tasn_dec.c | 2 |
1 files changed, 0 insertions, 2 deletions
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 5a507967c8..6bdcd5c542 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; |