diff options
Diffstat (limited to 'main/openssl/CVE-2016-2182.patch')
-rw-r--r-- | main/openssl/CVE-2016-2182.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/main/openssl/CVE-2016-2182.patch b/main/openssl/CVE-2016-2182.patch new file mode 100644 index 0000000000..b966748404 --- /dev/null +++ b/main/openssl/CVE-2016-2182.patch @@ -0,0 +1,104 @@ +From e36f27ddb80a48e579783bc29fb3758988342b71 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <steve@openssl.org> +Date: Fri, 5 Aug 2016 14:26:03 +0100 +Subject: [PATCH] Check for errors in BN_bn2dec() + +If an oversize BIGNUM is presented to BN_bn2dec() it can cause +BN_div_word() to fail and not reduce the value of 't' resulting +in OOB writes to the bn_data buffer and eventually crashing. + +Fix by checking return value of BN_div_word() and checking writes +don't overflow buffer. + +Thanks to Shi Lei for reporting this bug. + +CVE-2016-2182 + +Reviewed-by: Tim Hudson <tjh@openssl.org> +(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34) + +Conflicts: + crypto/bn/bn_print.c +--- + crypto/bn/bn_print.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c +index bfa31ef..b44403e 100644 +--- a/crypto/bn/bn_print.c ++++ b/crypto/bn/bn_print.c +@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) + char *p; + BIGNUM *t = NULL; + BN_ULONG *bn_data = NULL, *lp; ++ int bn_data_num; + + /*- + * get an upper bound for the length of the decimal integer +@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) + */ + i = BN_num_bits(a) * 3; + num = (i / 10 + i / 1000 + 1) + 1; +- bn_data = +- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); +- buf = (char *)OPENSSL_malloc(num + 3); ++ bn_data_num = num / BN_DEC_NUM + 1; ++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); ++ buf = OPENSSL_malloc(num + 3); + if ((buf == NULL) || (bn_data == NULL)) { + BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); + goto err; +@@ -143,7 +144,11 @@ char *BN_bn2dec(const BIGNUM *a) + i = 0; + while (!BN_is_zero(t)) { + *lp = BN_div_word(t, BN_DEC_CONV); ++ if (*lp == (BN_ULONG)-1) ++ goto err; + lp++; ++ if (lp - bn_data >= bn_data_num) ++ goto err; + } + lp--; + /* +-- +1.9.1 + +From 67e11f1d44b85758f01b4905d64c4c49476c1db5 Mon Sep 17 00:00:00 2001 +From: Kazuki Yamaguchi <k@rhe.jp> +Date: Mon, 22 Aug 2016 02:36:36 +0900 +Subject: [PATCH] Fix overflow check in BN_bn2dec() + +Fix an off by one error in the overflow check added by 07bed46f332fc +("Check for errors in BN_bn2dec()"). + +Reviewed-by: Stephen Henson <steve@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30) +--- + crypto/bn/bn_print.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c +index b44403e..a9ff271 100644 +--- a/crypto/bn/bn_print.c ++++ b/crypto/bn/bn_print.c +@@ -141,14 +141,13 @@ char *BN_bn2dec(const BIGNUM *a) + if (BN_is_negative(t)) + *p++ = '-'; + +- i = 0; + while (!BN_is_zero(t)) { ++ if (lp - bn_data >= bn_data_num) ++ goto err; + *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; + lp++; +- if (lp - bn_data >= bn_data_num) +- goto err; + } + lp--; + /* +-- +1.9.1 + |