From: Gergely Nagy Date: Wed, 14 Dec 2016 12:19:01 +0000 (+0100) Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939) X-Git-Tag: archive/raspbian/8.7.0+git220824-1+rpi1~1^2^2^2^2~2 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=220caa8f1c66897aaf2e11a76cdb579e13c3e058;p=libcrypto%2B%2B.git [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939) Gbp-Pq: Name CVE-2016-9939.patch --- diff --git a/asn.cpp b/asn.cpp index 13cd50c..0017f28 100644 --- a/asn.cpp +++ b/asn.cpp @@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str) size_t bc; if (!BERLengthDecode(bt, bc)) BERDecodeError(); + if (bc > bt.MaxRetrievable()) + BERDecodeError(); str.New(bc); if (bc != bt.Get(str, bc)) @@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation & size_t bc; if (!BERLengthDecode(bt, bc)) BERDecodeError(); + if (bc > bt.MaxRetrievable()) + BERDecodeError(); bt.TransferTo(str, bc); return bc; @@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as size_t bc; if (!BERLengthDecode(bt, bc)) BERDecodeError(); + if (bc > bt.MaxRetrievable()) + BERDecodeError(); SecByteBlock temp(bc); if (bc != bt.Get(temp, bc)) @@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne size_t bc; if (!BERLengthDecode(bt, bc)) BERDecodeError(); + if (bc == 0) + BERDecodeError(); + if (bc > bt.MaxRetrievable()) + BERDecodeError(); byte unused; if (!bt.Get(unused)) diff --git a/asn.h b/asn.h index 8c8ac32..adb677d 100644 --- a/asn.h +++ b/asn.h @@ -486,6 +486,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER, bool definite = BERLengthDecode(in, bc); if (!definite) BERDecodeError(); + if (bc > in.MaxRetrievable()) + BERDecodeError(); SecByteBlock buf(bc);