source:
trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch
@
2743
| Last change on this file since 2743 was 2743, checked in by achernya, 7 years ago | |
|---|---|
| File size: 1.6 KB | |
-
crypto/asn1/tasn_dec.c
From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" <steve@openssl.org> Date: Tue, 10 Nov 2015 19:03:07 +0000 Subject: [PATCH] Fix leak with ASN.1 combine. When parsing a combined structure pass a flag to the decode routine so on error a pointer to the parent structure is not zeroed as this will leak any additional components in the parent. This can leak memory in any application parsing PKCS#7 or CMS structures. CVE-2015-3195. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. PR#4131 Reviewed-by: Richard Levitte <levitte@openssl.org> Edited-to-apply: Alexander Chernyakhovsky <achernya@mit.edu> --- crypto/asn1/tasn_dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index febf605..9256049 100644
a b 169 169 int otag; 170 170 int ret = 0; 171 171 ASN1_VALUE **pchptr, *ptmpval; 172 int combine = aclass & ASN1_TFLG_COMBINE; 173 aclass &= ~ASN1_TFLG_COMBINE; 172 174 if (!pval) 173 175 return 0; 174 176 if (aux && aux->asn1_cb) … … 539 541 auxerr: 540 542 ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); 541 543 err: 544 if (combine == 0) 542 545 ASN1_item_ex_free(pval, it); 543 546 if (errtt) 544 547 ERR_add_error_data(4, "Field=", errtt->field_name, … … 767 770 { 768 771 /* Nothing special */ 769 772 ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), 770 -1, 0, opt, ctx);773 -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); 771 774 if (!ret) 772 775 { 773 776 ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Note: See TracBrowser
for help on using the repository browser.
