diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2016-03-02 14:28:15 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2016-03-02 14:28:15 +0000 |
| commit | 80e194ff5ef5e96e95fbe5e6954f4f8db66e4518 (patch) | |
| tree | 13705367dc021f4fdab621959f706215d8908e3d /lib/libcrypto | |
| parent | 453d9a4298a33e3d8012f140959e81928a254c28 (diff) | |
fix the rest of the read_ledword() calls used as lengths to be bounded.
inspired by guido vranken https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/
ok doug@
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/pem/pvkfmt.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/libcrypto/pem/pvkfmt.c b/lib/libcrypto/pem/pvkfmt.c index c3fd0e8d0a4..7a9045396c5 100644 --- a/lib/libcrypto/pem/pvkfmt.c +++ b/lib/libcrypto/pem/pvkfmt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pvkfmt.c,v 1.15 2016/03/02 05:02:35 beck Exp $ */ +/* $OpenBSD: pvkfmt.c,v 1.16 2016/03/02 14:28:14 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -179,6 +179,10 @@ do_blob_header(const unsigned char **in, unsigned int length, p += 6; *pmagic = read_ledword(&p); *pbitlen = read_ledword(&p); + if (*pbitlen > 65536) { + PEMerr(PEM_F_DO_BLOB_HEADER, PEM_R_INCONSISTENT_HEADER); + return 0; + } *pisdss = 0; switch (*pmagic) { |