author | Jiri Sasek <Jiri.Sasek@Oracle.COM> |
Wed, 27 Jan 2016 18:45:20 -0800 | |
changeset 5398 | f499dad29f21 |
parent 4723 | 4193dfeb0e39 |
permissions | -rw-r--r-- |
4723
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
1 |
Source: |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
2 |
Internal |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
3 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
4 |
Info: |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
5 |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
6 |
The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
7 |
before 3.6 allows context-dependent attackers to cause a denial of service |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
8 |
(NULL pointer dereference and crash) via a NULL value in an ivalue argument. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
9 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
10 |
Status: |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
11 |
Need to determine if this patch has been sent upstream. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
12 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
13 |
--- libtasn1-2.8/lib/element.c.orig 2014-06-05 10:41:52.955725412 +0530 |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
14 |
+++ libtasn1-2.8/lib/element.c 2014-06-05 11:09:52.177695875 +0530 |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
15 |
@@ -113,8 +113,11 @@ _asn1_convert_integer (const char *value |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
16 |
/* VALUE_OUT is too short to contain the value conversion */ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
17 |
return ASN1_MEM_ERROR; |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
18 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
19 |
- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
20 |
+ if (value_out != NULL) |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
21 |
+ { |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
22 |
+ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
23 |
value_out[k2 - k] = val[k2]; |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
24 |
+ } |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
25 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
26 |
#if 0 |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
27 |
printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
28 |
@@ -622,7 +625,8 @@ asn1_write_value (ASN1_TYPE node_root, c |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
29 |
if (ptr_size < data_size) { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
30 |
return ASN1_MEM_ERROR; \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
31 |
} else { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
32 |
- memcpy( ptr, data, data_size); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
33 |
+ if (ptr && data_size > 0) \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
34 |
+ memcpy( ptr, data, data_size); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
35 |
} |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
36 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
37 |
#define PUT_STR_VALUE( ptr, ptr_size, data) \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
38 |
@@ -631,36 +635,39 @@ asn1_write_value (ASN1_TYPE node_root, c |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
39 |
return ASN1_MEM_ERROR; \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
40 |
} else { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
41 |
/* this strcpy is checked */ \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
42 |
- strcpy(ptr, data); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
43 |
+ if (ptr) { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
44 |
+ strcpy(ptr, data); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
45 |
+ } \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
46 |
} |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
47 |
|
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
48 |
#define ADD_STR_VALUE( ptr, ptr_size, data) \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
49 |
- *len = (int) strlen(data) + 1; \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
50 |
- if (ptr_size < (int) strlen(ptr)+(*len)) { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
51 |
+ *len += strlen(data); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
52 |
+ if (ptr_size < (int) *len) { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
53 |
+ (*len)++; \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
54 |
return ASN1_MEM_ERROR; \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
55 |
} else { \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
56 |
/* this strcat is checked */ \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
57 |
- strcat(ptr, data); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
58 |
+ if (ptr) strcat (ptr, data); \ |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
59 |
} |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
60 |
- |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
61 |
/** |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
62 |
* asn1_read_value: |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
63 |
* @root: pointer to a structure. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
64 |
* @name: the name of the element inside a structure that you want to read. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
65 |
* @ivalue: vector that will contain the element's content, must be a |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
66 |
- * pointer to memory cells already allocated. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
67 |
+ * pointer to memory cells already allocated (may be %NULL). |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
68 |
* @len: number of bytes of *value: value[0]..value[len-1]. Initialy |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
69 |
* holds the sizeof value. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
70 |
* |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
71 |
* Returns the value of one element inside a structure. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
72 |
- * |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
73 |
- * If an element is OPTIONAL and the function "read_value" returns |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
74 |
+ * If an element is OPTIONAL and this returns |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
75 |
* %ASN1_ELEMENT_NOT_FOUND, it means that this element wasn't present |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
76 |
* in the der encoding that created the structure. The first element |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
77 |
* of a SEQUENCE_OF or SET_OF is named "?1". The second one "?2" and |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
78 |
* so on. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
79 |
* |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
80 |
- * INTEGER: VALUE will contain a two's complement form integer. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
81 |
+ * Note that there can be valid values with length zero. In these case |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
82 |
+ * this function will succeed and @len will be zero. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
83 |
+ * |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
84 |
* |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
85 |
* integer=-1 -> value[0]=0xFF , len=1. |
4193dfeb0e39
21124729 Move libtasn1 from Desktop to Userland consolidation
Ann Lai <ann.lai@oracle.com>
parents:
diff
changeset
|
86 |
* integer=1 -> value[0]=0x01 , len=1. |