diff options
author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-09-09 14:06:50 +0000 |
---|---|---|
committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2017-09-09 14:06:50 +0000 |
commit | 1433d4337cdfa6422d75e83ef63b8f64fc95bf6b (patch) | |
tree | 27c33a27c966c8c66727795ee272de9ad5578145 /ext/openssl | |
parent | 842d5cff6a9debcd10398ee1e95b85268620a290 (diff) |
asn1: fix out-of-bounds read in decoding constructed objects
* OpenSSL::ASN1.{decode,decode_all,traverse}: have a bug of
out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the
correct available length to ossl_asn1_decode() when decoding the
inner components of a constructed object. This can cause
out-of-bounds read if a crafted input given.
Reference: https://hackerone.com/reports/170316
https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59800 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/openssl')
-rw-r--r-- | ext/openssl/ossl_asn1.c | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 89da5949b8..444440125c 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -870,19 +870,18 @@ int_ossl_asn1_decode0_cons(unsigned char **pp, long max_len, long length, { VALUE value, asn1data, ary; int infinite; - long off = *offset; + long available_len, off = *offset; infinite = (j == 0x21); ary = rb_ary_new(); - while (length > 0 || infinite) { + available_len = infinite ? max_len : length; + while (available_len > 0) { long inner_read = 0; - value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read); + value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read); *num_read += inner_read; - max_len -= inner_read; + available_len -= inner_read; rb_ary_push(ary, value); - if (length > 0) - length -= inner_read; if (infinite && NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC && @@ -973,7 +972,7 @@ ossl_asn1_decode0(unsigned char **pp, long length, long *offset, int depth, if(j & V_ASN1_CONSTRUCTED) { *pp += hlen; off += hlen; - asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read); + asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read); inner_read += hlen; } else { |