Source:

Internal

Info:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468

The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly 

report an error when a negative bit length is identified, which allows 

context-dependent attackers to cause out-of-bounds access via crafted ASN.1 

data. 

Status:

Need to determine if this patch has been sent upstream.

--- libtasn1-2.8/lib/decoding.c.orig	2014-06-05 10:36:51.728076396 +0530

+++ libtasn1-2.8/lib/decoding.c	2014-06-05 10:39:39.072295803 +0530

@@ -214,7 +214,7 @@ asn1_get_octet_der (const unsigned char

 		    int *ret_len, unsigned char *str, int str_size,

 		    int *str_len)

 {

-  int len_len;

+  int len_len = 0;

   if (der_len <= 0)

     return ASN1_GENERIC_ERROR;

@@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d

 		  int *ret_len, unsigned char *str, int str_size,

 		  int *bit_len)

 {

-  int len_len, len_byte;

+  int len_len = 0, len_byte;

   if (der_len <= 0)

     return ASN1_GENERIC_ERROR;

@@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d

   *ret_len = len_byte + len_len + 1;

   *bit_len = len_byte * 8 - der[len_len];

+  if (*bit_len <= 0)

+    return ASN1_DER_ERROR;

+

   if (str_size >= len_byte)

     memcpy (str, der + len_len + 1, len_byte);

   else