summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMiod Vallat <miod@cvs.openbsd.org>2014-07-11 15:35:54 +0000
committerMiod Vallat <miod@cvs.openbsd.org>2014-07-11 15:35:54 +0000
commit541a68a7b1ed441f5c22ffbc7dd5d6958cc06d37 (patch)
tree88f544d3c192afea942333072691d1a4239ed000
parentcb9592527e657aa1f347a59c1c998663b31adf79 (diff)
Missing bounds check in do_PVK_body(); OpenSSL RT #2277, from OpenSSL trunk,
but without a memory leak.
-rw-r--r--lib/libssl/src/crypto/pem/pvkfmt.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/libssl/src/crypto/pem/pvkfmt.c b/lib/libssl/src/crypto/pem/pvkfmt.c
index 55cfffa7bc7..32fcc181f74 100644
--- a/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2005.
*/
@@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
const unsigned char *p = *in;
unsigned int magic;
unsigned char *enctmp = NULL, *q;
-
EVP_CIPHER_CTX cctx;
+
EVP_CIPHER_CTX_init(&cctx);
if (saltlen) {
char psbuf[PEM_BUFSIZE];
unsigned char keybuf[20];
int enctmplen, inlen;
+
if (cb)
inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
else
@@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (!derive_pvk_key(keybuf, p, saltlen,
- (unsigned char *)psbuf, inlen)) {
+ if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf,
+ inlen)) {
free(enctmp);
return NULL;
}
@@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
/* Copy BLOBHEADER across, decrypt rest */
memcpy(enctmp, p, 8);
p += 8;
+ if (keylen < 8) {
+ PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
+ free(enctmp);
+ return NULL;
+ }
inlen = keylen - 8;
q = enctmp + 8;
if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL))