aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2021-06-28 17:48:47 +0900
committerKazuki Yamaguchi <k@rhe.jp>2021-09-27 15:59:58 +0900
commitb8eed2b9b93a98af34d14856def66ee4a062a1f9 (patch)
tree7648e48bc19b14083bee24ed845980c5820390d0
parent87887fec2a2e973ed4e05187f7d05a4cb6d92eaa (diff)
downloadruby-openssl-ky/pkey-ec-verify-overflow.tar.gz
pkey: use RSTRING_LENINT() instead of casting to intky/pkey-ec-verify-overflow
RSTRING_LENINT() checks the range of int and raises an exception as necessary. OpenSSL::PKey::EC#dsa_verify_asn1 currently does not do this, and giving a too big string to it can trigger a surprising behavior: ec.dsa_verify_asn1(digest, signature) #=> true ec.dsa_verify_asn1(digest, signature + "x" * 2**32) #=> true Reference: https://hackerone.com/reports/1246050
Diffstat
-rw-r--r--ext/openssl/ossl_pkey_ec.c16
1 files changed, 8 insertions, 8 deletions
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 8bb61124..b47678dc 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -653,15 +653,15 @@ static VALUE ossl_ec_key_dsa_verify_asn1(VALUE self, VALUE data, VALUE sig)
StringValue(data);
StringValue(sig);
- switch (ECDSA_verify(0, (unsigned char *) RSTRING_PTR(data), RSTRING_LENINT(data), (unsigned char *) RSTRING_PTR(sig), (int)RSTRING_LEN(sig), ec)) {
- case 1: return Qtrue;
- case 0: return Qfalse;
- default: break;
+ switch (ECDSA_verify(0, (unsigned char *)RSTRING_PTR(data), RSTRING_LENINT(data),
+ (unsigned char *)RSTRING_PTR(sig), RSTRING_LENINT(sig), ec)) {
+ case 1:
+ return Qtrue;
+ case 0:
+ return Qfalse;
+ default:
+ ossl_raise(eECError, "ECDSA_verify");
}
-
- ossl_raise(eECError, "ECDSA_verify");
-
- UNREACHABLE;
}
/*
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-30 21:26:57 +0000