forked from pool/openssl
29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
|
commit ee5a1253285e5c9f406c8b57b0686319b70c07d8
|
||
|
|
Author: Dr. Stephen Henson <steve@openssl.org>
|
||
|
|
Date: Mon Mar 9 23:11:45 2015 +0000
|
||
|
|
|
||
|
|
Fix ASN1_TYPE_cmp
|
||
|
|
|
||
|
|
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
|
||
|
|
can be triggered during certificate verification so could be a DoS attack
|
||
|
|
against a client or a server enabling client authentication.
|
||
|
|
|
||
|
|
CVE-2015-0286
|
||
|
|
|
||
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
||
|
|
|
||
|
|
Index: openssl-1.0.1i/crypto/asn1/a_type.c
|
||
|
|
===================================================================
|
||
|
|
--- openssl-1.0.1i.orig/crypto/asn1/a_type.c 2015-03-17 14:15:18.832332902 +0100
|
||
|
|
+++ openssl-1.0.1i/crypto/asn1/a_type.c 2015-03-17 14:15:19.738346161 +0100
|
||
|
|
@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
|
||
|
|
case V_ASN1_OBJECT:
|
||
|
|
result = OBJ_cmp(a->value.object, b->value.object);
|
||
|
|
break;
|
||
|
|
+ case V_ASN1_BOOLEAN:
|
||
|
|
+ result = a->value.boolean - b->value.boolean;
|
||
|
|
+ break;
|
||
|
|
case V_ASN1_NULL:
|
||
|
|
result = 0; /* They do not have content. */
|
||
|
|
break;
|