summaryrefslogtreecommitdiffstats
path: root/crypto/asn1
diff options
context:
space:
mode:
authorShane Lontis <shane.lontis@oracle.com>2021-04-12 05:58:14 +0200
committerShane Lontis <shane.lontis@oracle.com>2021-04-16 04:10:08 +0200
commit42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (patch)
tree1122340c23e67327e2673fd516c5be2dc666e228 /crypto/asn1
parentSipHash: Fix CTRL API for the digest size. (diff)
downloadopenssl-42e7d2f10e3658c0c248df8a6edf3c48c477e4b0.tar.xz
openssl-42e7d2f10e3658c0c248df8a6edf3c48c477e4b0.zip
Add more negative checks for integers passed to OPENSSL_malloc().
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14830)
Diffstat (limited to 'crypto/asn1')
-rw-r--r--crypto/asn1/a_dup.c3
-rw-r--r--crypto/asn1/a_int.c6
-rw-r--r--crypto/asn1/a_mbstr.c2
-rw-r--r--crypto/asn1/bio_asn1.c2
-rw-r--r--crypto/asn1/p5_pbe.c2
-rw-r--r--crypto/asn1/p5_pbev2.c2
-rw-r--r--crypto/asn1/tasn_utl.c2
7 files changed, 17 insertions, 2 deletions
diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c
index bdefa448ec..263c8a0c5e 100644
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x)
return NULL;
i = i2d(x, NULL);
+ if (i <= 0)
+ return NULL;
+
b = OPENSSL_malloc(i + 10);
if (b == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c
index 0fc469804d..19e41ec73e 100644
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
ASN1_INTEGER *ret = NULL;
const unsigned char *p;
unsigned char *s;
- long len;
+ long len = 0;
int inf, tag, xclass;
int i;
@@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
goto err;
}
+ if (len < 0) {
+ i = ASN1_R_ILLEGAL_NEGATIVE_VALUE;
+ goto err;
+ }
/*
* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies
* a missing NULL parameter.
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 208a383af2..22dea873ee 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
len = strlen((const char *)in);
if (!mask)
mask = DIRSTRING_TYPE;
+ if (len < 0)
+ return -1;
/* First do a string check and work out the number of characters */
switch (inform) {
diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c
index dc99e2d7c2..19af059a2c 100644
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b)
static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)
{
- if ((ctx->buf = OPENSSL_malloc(size)) == NULL) {
+ if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c
index b6388cd12f..fb43044822 100644
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
}
if (!saltlen)
saltlen = PKCS5_SALT_LEN;
+ if (saltlen < 0)
+ goto err;
sstr = OPENSSL_malloc(saltlen);
if (sstr == NULL) {
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 738e3a0d10..1049f01905 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
kdf->salt->value.octet_string = osalt;
kdf->salt->type = V_ASN1_OCTET_STRING;
+ if (saltlen < 0)
+ goto merr;
if (saltlen == 0)
saltlen = PKCS5_SALT_LEN;
if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL)
diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c
index 12a6b15999..28a4b23aa4 100644
--- a/crypto/asn1/tasn_utl.c
+++ b/crypto/asn1/tasn_utl.c
@@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
return 1;
OPENSSL_free(enc->enc);
+ if (inlen <= 0)
+ return 0;
if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return 0;