1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From f979435823a02f842c41d49cd41cc81f25b5d677 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 20 Apr 2015 14:56:27 +0200
Subject: [PATCH] _asn1_extract_der_octet: prevent past of boundary access
Fixes CVE-2015-3622.
Upstream-Status: Backport
Reported by Hanno Böck.
---
lib/decoding.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/lib/decoding.c b/lib/decoding.c
index 7fbd931..42ddc6b 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -732,6 +732,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
return ASN1_DER_ERROR;
counter = len3 + 1;
+ DECR_LEN(der_len, len3);
if (len2 == -1)
counter_end = der_len - 2;
@@ -740,6 +741,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
while (counter < counter_end)
{
+ DECR_LEN(der_len, 1);
len2 = asn1_get_length_der (der + counter, der_len, &len3);
if (IS_ERR(len2, flags))
@@ -764,7 +766,6 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
len2 = 0;
}
- DECR_LEN(der_len, 1);
counter += len2 + len3 + 1;
}
--
1.7.2.5
|
