diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2014-07-11 15:35:54 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2014-07-11 15:35:54 +0000 |
commit | 541a68a7b1ed441f5c22ffbc7dd5d6958cc06d37 (patch) | |
tree | 88f544d3c192afea942333072691d1a4239ed000 | |
parent | cb9592527e657aa1f347a59c1c998663b31adf79 (diff) |
Missing bounds check in do_PVK_body(); OpenSSL RT #2277, from OpenSSL trunk,
but without a memory leak.
-rw-r--r-- | lib/libssl/src/crypto/pem/pvkfmt.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/libssl/src/crypto/pem/pvkfmt.c b/lib/libssl/src/crypto/pem/pvkfmt.c index 55cfffa7bc7..32fcc181f74 100644 --- a/lib/libssl/src/crypto/pem/pvkfmt.c +++ b/lib/libssl/src/crypto/pem/pvkfmt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pvkfmt.c,v 1.9 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: pvkfmt.c,v 1.10 2014/07/11 15:35:53 miod Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -722,13 +722,14 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, const unsigned char *p = *in; unsigned int magic; unsigned char *enctmp = NULL, *q; - EVP_CIPHER_CTX cctx; + EVP_CIPHER_CTX_init(&cctx); if (saltlen) { char psbuf[PEM_BUFSIZE]; unsigned char keybuf[20]; int enctmplen, inlen; + if (cb) inlen = cb(psbuf, PEM_BUFSIZE, 0, u); else @@ -742,8 +743,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE); return NULL; } - if (!derive_pvk_key(keybuf, p, saltlen, - (unsigned char *)psbuf, inlen)) { + if (!derive_pvk_key(keybuf, p, saltlen, (unsigned char *)psbuf, + inlen)) { free(enctmp); return NULL; } @@ -751,6 +752,11 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, /* Copy BLOBHEADER across, decrypt rest */ memcpy(enctmp, p, 8); p += 8; + if (keylen < 8) { + PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT); + free(enctmp); + return NULL; + } inlen = keylen - 8; q = enctmp + 8; if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) |