forked from pool/openssl
86 lines
3.4 KiB
Diff
86 lines
3.4 KiB
Diff
|
commit 1a87b757b9f755f687492f6b9f685be8e0cd82b0
|
|||
|
|
Author: Dr. Stephen Henson <steve@openssl.org>
|
|||
|
|
Date: Mon Feb 23 12:57:50 2015 +0000
|
|||
|
|
|
|||
|
|
Free up passed ASN.1 structure if reused.
|
|||
|
|
|
|||
|
|
Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
|
|||
|
|
structure is freed and a pointer to the new one used. If it is not
|
|||
|
|
successful then the passed structure is untouched.
|
|||
|
|
|
|||
|
|
Exception made for primitive types so ssl_asn1.c still works.
|
|||
|
|
|
|||
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|||
|
|
Reviewed-by: Emilia K<>sper <emilia@openssl.org>
|
|||
|
|
|
|||
|
|
commit a9f34a7aac5fd89f33a34fb71e954b85fbf35875
|
|||
|
|
Author: Dr. Stephen Henson <steve@openssl.org>
|
|||
|
|
Date: Mon Feb 23 02:32:44 2015 +0000
|
|||
|
|
|
|||
|
|
Free up ADB and CHOICE if already initialised.
|
|||
|
|
|
|||
|
|
CVE-2015-0287
|
|||
|
|
|
|||
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|||
|
|
Reviewed-by: Emilia K<>sper <emilia@openssl.org>
|
|||
|
|
|
|||
|
|
Index: openssl-1.0.1i/crypto/asn1/tasn_dec.c
|
|||
|
|
===================================================================
|
|||
|
|
--- openssl-1.0.1i.orig/crypto/asn1/tasn_dec.c 2015-03-17 13:18:26.732161376 +0100
|
|||
|
|
+++ openssl-1.0.1i/crypto/asn1/tasn_dec.c 2015-03-17 13:22:20.424576154 +0100
|
|||
|
|
@@ -311,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|||
|
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
|||
|
|
goto auxerr;
|
|||
|
|
|
|||
|
|
- /* Allocate structure */
|
|||
|
|
- if (!*pval && !ASN1_item_ex_new(pval, it))
|
|||
|
|
- {
|
|||
|
|
+ if (*pval) {
|
|||
|
|
+ /* Free up and zero CHOICE value if initialised */
|
|||
|
|
+ i = asn1_get_choice_selector(pval, it);
|
|||
|
|
+ if ((i >= 0) && (i < it->tcount)) {
|
|||
|
|
+ tt = it->templates + i;
|
|||
|
|
+ pchptr = asn1_get_field_ptr(pval, tt);
|
|||
|
|
+ ASN1_template_free(pchptr, tt);
|
|||
|
|
+ asn1_set_choice_selector(pval, -1, it);
|
|||
|
|
+ }
|
|||
|
|
+ } else if (!ASN1_item_ex_new(pval, it)) {
|
|||
|
|
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
|
|||
|
|
ERR_R_NESTED_ASN1_ERROR);
|
|||
|
|
goto err;
|
|||
|
|
@@ -407,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
|
|||
|
|
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
|
|||
|
|
goto auxerr;
|
|||
|
|
|
|||
|
|
+ /* Free up and zero any ADB found */
|
|||
|
|
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
|
|||
|
|
+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
|
|||
|
|
+ const ASN1_TEMPLATE *seqtt;
|
|||
|
|
+ ASN1_VALUE **pseqval;
|
|||
|
|
+ seqtt = asn1_do_adb(pval, tt, 1);
|
|||
|
|
+ pseqval = asn1_get_field_ptr(pval, seqtt);
|
|||
|
|
+ ASN1_template_free(pseqval, seqtt);
|
|||
|
|
+ }
|
|||
|
|
+ }
|
|||
|
|
+
|
|||
|
|
/* Get each field entry */
|
|||
|
|
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
|
|||
|
|
{
|
|||
|
|
Index: openssl-1.0.1i/doc/crypto/d2i_X509.pod
|
|||
|
|
===================================================================
|
|||
|
|
--- openssl-1.0.1i.orig/doc/crypto/d2i_X509.pod 2015-03-17 13:18:26.731161362 +0100
|
|||
|
|
+++ openssl-1.0.1i/doc/crypto/d2i_X509.pod 2015-03-17 13:18:52.046531518 +0100
|
|||
|
|
@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts
|
|||
|
|
persist if they are not present in the new one. As a result the use
|
|||
|
|
of this "reuse" behaviour is strongly discouraged.
|
|||
|
|
|
|||
|
|
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
|
|||
|
|
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
|
|||
|
|
+set to the value of the newly decoded structure. As a result B<*px>
|
|||
|
|
+B<must not> be allocated on the stack or an attempt will be made to
|
|||
|
|
+free an invalid pointer.
|
|||
|
|
+
|
|||
|
|
i2d_X509() will not return an error in many versions of OpenSSL,
|
|||
|
|
if mandatory fields are not initialized due to a programming error
|
|||
|
|
then the encoded structure may contain invalid data or omit the
|