diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2015-06-11 15:58:54 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-06-11 15:58:54 +0000 |
commit | 288d7d47a5964e47269a21629229b37606930808 (patch) | |
tree | b8c7b3959d0b9d62e4ce0b4582b78acfa02b0921 /lib/libcrypto/x509/x509_vfy.c | |
parent | a8e50a85b6b5fc1afe7979fc6483f583e3cc308e (diff) |
Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing
length checks.
Diff based on changes in OpenSSL.
Fixes CVE-2015-1789.
ok doug@
Diffstat (limited to 'lib/libcrypto/x509/x509_vfy.c')
-rw-r--r-- | lib/libcrypto/x509/x509_vfy.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c index 442035625a8..a20c755d7f3 100644 --- a/lib/libcrypto/x509/x509_vfy.c +++ b/lib/libcrypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.41 2015/04/11 16:03:21 deraadt Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.42 2015/06/11 15:58:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1644,35 +1644,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) memcpy(p, str, 10); p += 10; str += 10; + i -= 10; } else { if (i < 13) return 0; memcpy(p, str, 12); p += 12; str += 12; + i -= 12; } + if (i < 1) + return 0; if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++) = '0'; *(p++) = '0'; } else { + if (i < 2) + return 0; *(p++) = *(str++); *(p++) = *(str++); + i -= 2; + if (i < 1) + return 0; /* Skip any fractional seconds... */ if (*str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) + i--; + while (i > 1 && (*str >= '0') && (*str <= '9')) { str++; + i--; + } } } *(p++) = 'Z'; *(p++) = '\0'; - if (*str == 'Z') + if (i < 1) + return 0; + if (*str == 'Z') { + if (i != 1) + return 0; offset = 0; - else { + } else { + if (i != 5) + return 0; if ((*str != '+') && (*str != '-')) return 0; + if (str[1] < '0' || str[1] > '9' || + str[2] < '0' || str[2] > '9' || + str[3] < '0' || str[3] > '9' || + str[4] < '0' || str[4] > '9') + return 0; offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; offset += (str[3] - '0') * 10 + (str[4] - '0'); if (*str == '-') |