diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2021-04-12 05:58:14 +0200 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-04-16 04:10:08 +0200 |
commit | 42e7d2f10e3658c0c248df8a6edf3c48c477e4b0 (patch) | |
tree | 1122340c23e67327e2673fd516c5be2dc666e228 /crypto/asn1 | |
parent | SipHash: Fix CTRL API for the digest size. (diff) | |
download | openssl-42e7d2f10e3658c0c248df8a6edf3c48c477e4b0.tar.xz openssl-42e7d2f10e3658c0c248df8a6edf3c48c477e4b0.zip |
Add more negative checks for integers passed to OPENSSL_malloc().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)
Diffstat (limited to 'crypto/asn1')
-rw-r--r-- | crypto/asn1/a_dup.c | 3 | ||||
-rw-r--r-- | crypto/asn1/a_int.c | 6 | ||||
-rw-r--r-- | crypto/asn1/a_mbstr.c | 2 | ||||
-rw-r--r-- | crypto/asn1/bio_asn1.c | 2 | ||||
-rw-r--r-- | crypto/asn1/p5_pbe.c | 2 | ||||
-rw-r--r-- | crypto/asn1/p5_pbev2.c | 2 | ||||
-rw-r--r-- | crypto/asn1/tasn_utl.c | 2 |
7 files changed, 17 insertions, 2 deletions
diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c index bdefa448ec..263c8a0c5e 100644 --- a/crypto/asn1/a_dup.c +++ b/crypto/asn1/a_dup.c @@ -24,6 +24,9 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x) return NULL; i = i2d(x, NULL); + if (i <= 0) + return NULL; + b = OPENSSL_malloc(i + 10); if (b == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 0fc469804d..19e41ec73e 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -398,7 +398,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, ASN1_INTEGER *ret = NULL; const unsigned char *p; unsigned char *s; - long len; + long len = 0; int inf, tag, xclass; int i; @@ -421,6 +421,10 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, goto err; } + if (len < 0) { + i = ASN1_R_ILLEGAL_NEGATIVE_VALUE; + goto err; + } /* * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies * a missing NULL parameter. diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 208a383af2..22dea873ee 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -55,6 +55,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, len = strlen((const char *)in); if (!mask) mask = DIRSTRING_TYPE; + if (len < 0) + return -1; /* First do a string check and work out the number of characters */ switch (inform) { diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index dc99e2d7c2..19af059a2c 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -118,7 +118,7 @@ static int asn1_bio_new(BIO *b) static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size) { - if ((ctx->buf = OPENSSL_malloc(size)) == NULL) { + if (size <= 0 || (ctx->buf = OPENSSL_malloc(size)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/asn1/p5_pbe.c b/crypto/asn1/p5_pbe.c index b6388cd12f..fb43044822 100644 --- a/crypto/asn1/p5_pbe.c +++ b/crypto/asn1/p5_pbe.c @@ -44,6 +44,8 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, } if (!saltlen) saltlen = PKCS5_SALT_LEN; + if (saltlen < 0) + goto err; sstr = OPENSSL_malloc(saltlen); if (sstr == NULL) { diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index 738e3a0d10..1049f01905 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -160,6 +160,8 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, kdf->salt->value.octet_string = osalt; kdf->salt->type = V_ASN1_OCTET_STRING; + if (saltlen < 0) + goto merr; if (saltlen == 0) saltlen = PKCS5_SALT_LEN; if ((osalt->data = OPENSSL_malloc(saltlen)) == NULL) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 12a6b15999..28a4b23aa4 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -168,6 +168,8 @@ int ossl_asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, return 1; OPENSSL_free(enc->enc); + if (inlen <= 0) + return 0; if ((enc->enc = OPENSSL_malloc(inlen)) == NULL) { ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE); return 0; |