source: trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch @ 2798

Last change on this file since 2798 was 2743, checked in by achernya, 8 years ago
Patch openssl against a DoS
File size: 1.6 KB
RevLine 
[2743]1From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001
2From: "Dr. Stephen Henson" <steve@openssl.org>
3Date: Tue, 10 Nov 2015 19:03:07 +0000
4Subject: [PATCH] Fix leak with ASN.1 combine.
5
6When parsing a combined structure pass a flag to the decode routine
7so on error a pointer to the parent structure is not zeroed as
8this will leak any additional components in the parent.
9
10This can leak memory in any application parsing PKCS#7 or CMS structures.
11
12CVE-2015-3195.
13
14Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
15libFuzzer.
16
17PR#4131
18
19Reviewed-by: Richard Levitte <levitte@openssl.org>
20
21Edited-to-apply: Alexander Chernyakhovsky <achernya@mit.edu>
22---
23 crypto/asn1/tasn_dec.c | 7 +++++--
24 1 file changed, 5 insertions(+), 2 deletions(-)
25
26diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
27index febf605..9256049 100644
28--- a/crypto/asn1/tasn_dec.c
29+++ b/crypto/asn1/tasn_dec.c
30@@ -169,6 +169,8 @@
31        int otag;
32        int ret = 0;
33        ASN1_VALUE **pchptr, *ptmpval;
34+       int combine = aclass & ASN1_TFLG_COMBINE;
35+       aclass &= ~ASN1_TFLG_COMBINE;
36        if (!pval)
37                return 0;
38        if (aux && aux->asn1_cb)
39@@ -539,6 +541,7 @@
40        auxerr:
41        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
42        err:
43+       if (combine == 0)
44        ASN1_item_ex_free(pval, it);
45        if (errtt)
46                ERR_add_error_data(4, "Field=", errtt->field_name,
47@@ -767,7 +770,7 @@
48                {
49                /* Nothing special */
50                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
51-                                                       -1, 0, opt, ctx);
52+                                                       -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
53                if (!ret)
54                        {
55                        ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Note: See TracBrowser for help on using the repository browser.