| author | Ann Lai <ann.lai@oracle.com> |
| Thu, 30 Jul 2015 17:45:10 -0700 | |
| changeset 4723 | 4193dfeb0e39 |
| permissions | -rw-r--r-- |
|
4723
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
1 |
Source: |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
2 |
Internal |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
3 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
4 |
Info: |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
5 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1569 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
6 |
The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
7 |
used in GnuTLS before 3.0.16 and other products, does not properly handle |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
8 |
certain large length values, which allows remote attackers to cause a denial |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
9 |
of service (heap memory corruption and application crash) or possibly have |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
10 |
unspecified other impact via a crafted ASN.1 structure. |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
11 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
12 |
Status: |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
13 |
Need to determine if this patch has been sent upstream. |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
14 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
15 |
--- libtasn1-2.8/lib/decoding.c.orig 2012-04-06 12:19:39.986443804 +0800 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
16 |
+++ libtasn1-2.8/lib/decoding.c 2012-04-06 12:38:38.607157322 +0800 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
17 |
@@ -55,12 +55,14 @@ |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
18 |
* Extract a length field from DER data. |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
19 |
* |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
20 |
* Returns: Return the decoded length value, or -1 on indefinite |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
21 |
- * length, or -2 when the value was too big. |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
22 |
+ * length, or -2 when the value was too big to fit in a int, or -4 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
23 |
+ * when the decoed length value plus @len would exceed @der_len. |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
24 |
+ |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
25 |
**/ |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
26 |
signed long |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
27 |
asn1_get_length_der (const unsigned char *der, int der_len, int *len) |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
28 |
{
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
29 |
- unsigned long ans; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
30 |
+ int ans; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
31 |
int k, punt; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
32 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
33 |
*len = 0; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
34 |
@@ -83,7 +85,7 @@ |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
35 |
ans = 0; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
36 |
while (punt <= k && punt < der_len) |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
37 |
{
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
38 |
- unsigned long last = ans; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
39 |
+ int last = ans; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
40 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
41 |
ans = ans * 256 + der[punt++]; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
42 |
if (ans < last) |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
43 |
@@ -93,10 +95,13 @@ |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
44 |
} |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
45 |
else |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
46 |
{ /* indefinite length method */
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
47 |
- ans = -1; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
48 |
+ *len = punt; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
49 |
+ return -1; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
50 |
} |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
51 |
|
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
52 |
*len = punt; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
53 |
+ if (ans + *len < ans || ans + *len > der_len) |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
54 |
+ return -4; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
55 |
return ans; |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
56 |
} |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
57 |
} |