source: trunk/server/common/patches/openssl-1.0.1e-cve-2015-3195.patch @ 2757

Last change on this file since 2757 was 2743, checked in by achernya, 7 years ago
Patch openssl against a DoS
File size: 1.6 KB
  • crypto/asn1/tasn_dec.c

    From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001
    From: "Dr. Stephen Henson" <steve@openssl.org>
    Date: Tue, 10 Nov 2015 19:03:07 +0000
    Subject: [PATCH] Fix leak with ASN.1 combine.
    
    When parsing a combined structure pass a flag to the decode routine
    so on error a pointer to the parent structure is not zeroed as
    this will leak any additional components in the parent.
    
    This can leak memory in any application parsing PKCS#7 or CMS structures.
    
    CVE-2015-3195.
    
    Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
    libFuzzer.
    
    PR#4131
    
    Reviewed-by: Richard Levitte <levitte@openssl.org>
    
    Edited-to-apply: Alexander Chernyakhovsky <achernya@mit.edu>
    ---
     crypto/asn1/tasn_dec.c | 7 +++++--
     1 file changed, 5 insertions(+), 2 deletions(-)
    
    diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
    index febf605..9256049 100644
    a b  
    169169        int otag;
    170170        int ret = 0;
    171171        ASN1_VALUE **pchptr, *ptmpval;
     172        int combine = aclass & ASN1_TFLG_COMBINE;
     173        aclass &= ~ASN1_TFLG_COMBINE;
    172174        if (!pval)
    173175                return 0;
    174176        if (aux && aux->asn1_cb)
     
    539541        auxerr:
    540542        ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
    541543        err:
     544        if (combine == 0)
    542545        ASN1_item_ex_free(pval, it);
    543546        if (errtt)
    544547                ERR_add_error_data(4, "Field=", errtt->field_name,
     
    767770                {
    768771                /* Nothing special */
    769772                ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
    770                                                         -1, 0, opt, ctx);
     773                                                        -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
    771774                if (!ret)
    772775                        {
    773776                        ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Note: See TracBrowser for help on using the repository browser.