diff options
Diffstat (limited to 'main/openssl/CVE-2016-2182.patch')
| -rw-r--r-- | main/openssl/CVE-2016-2182.patch | 104 |
1 files changed, 0 insertions, 104 deletions
diff --git a/main/openssl/CVE-2016-2182.patch b/main/openssl/CVE-2016-2182.patch deleted file mode 100644 index b966748404..0000000000 --- a/main/openssl/CVE-2016-2182.patch +++ /dev/null @@ -1,104 +0,0 @@ -From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 -From: "Dr. Stephen Henson" <steve@openssl.org> -Date: Fri, 5 Aug 2016 14:26:03 +0100 -Subject: [PATCH] Check for errors in BN_bn2dec() - -If an oversize BIGNUM is presented to BN_bn2dec() it can cause -BN_div_word() to fail and not reduce the value of 't' resulting -in OOB writes to the bn_data buffer and eventually crashing. - -Fix by checking return value of BN_div_word() and checking writes -don't overflow buffer. - -Thanks to Shi Lei for reporting this bug. - -CVE-2016-2182 - -Reviewed-by: Tim Hudson <tjh@openssl.org> -(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) - -Conflicts: - crypto/bn/bn_print.c ---- - crypto/bn/bn_print.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c -index bfa31ef..b44403e 100644 ---- a/crypto/bn/bn_print.c -+++ b/crypto/bn/bn_print.c -@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) - char *p; - BIGNUM *t = NULL; - BN_ULONG *bn_data = NULL, *lp; -+ int bn_data_num; - - /*- - * get an upper bound for the length of the decimal integer -@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) - */ - i = BN_num_bits(a) * 3; - num = (i / 10 + i / 1000 + 1) + 1; -- bn_data = -- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); -- buf = (char *)OPENSSL_malloc(num + 3); -+ bn_data_num = num / BN_DEC_NUM + 1; -+ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); -+ buf = OPENSSL_malloc(num + 3); - if ((buf == NULL) || (bn_data == NULL)) { - BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); - goto err; -@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) - i = 0; - while (!BN_is_zero(t)) { - *lp = BN_div_word(t, BN_DEC_CONV); -+ if (*lp == (BN_ULONG)-1) -+ goto err; - lp++; -+ if (lp - bn_data >= bn_data_num) -+ goto err; - } - lp--; - /* --- -1.9.1 - -From 67e11f1d44b85758f01b4905d64c4c49476c1db5 Mon Sep 17 00:00:00 2001 -From: Kazuki Yamaguchi <k@rhe.jp> -Date: Mon, 22 Aug 2016 02:36:36 +0900 -Subject: [PATCH] Fix overflow check in BN_bn2dec() - -Fix an off by one error in the overflow check added by 07bed46f332fc -("Check for errors in BN_bn2dec()"). - -Reviewed-by: Stephen Henson <steve@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> -(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30) ---- - crypto/bn/bn_print.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c -index b44403e..a9ff271 100644 ---- a/crypto/bn/bn_print.c -+++ b/crypto/bn/bn_print.c -@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a) - if (BN_is_negative(t)) - *p++ = '-'; - -- i = 0; - while (!BN_is_zero(t)) { -+ if (lp - bn_data >= bn_data_num) -+ goto err; - *lp = BN_div_word(t, BN_DEC_CONV); - if (*lp == (BN_ULONG)-1) - goto err; - lp++; -- if (lp - bn_data >= bn_data_num) -- goto err; - } - lp--; - /* --- -1.9.1 - |