1 Source:

     2 Internal

     3 

     4 Info:

     5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468

     6 The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly 

     7 report an error when a negative bit length is identified, which allows 

     8 context-dependent attackers to cause out-of-bounds access via crafted ASN.1 

     9 data. 

    10 

    11 Status:

    12 Need to determine if this patch has been sent upstream.

    13 

    14 --- libtasn1-2.8/lib/decoding.c.orig	2014-06-05 10:36:51.728076396 +0530

    15 +++ libtasn1-2.8/lib/decoding.c	2014-06-05 10:39:39.072295803 +0530

    16 @@ -214,7 +214,7 @@ asn1_get_octet_der (const unsigned char

    17  		    int *ret_len, unsigned char *str, int str_size,

    18  		    int *str_len)

    19  {

    20 -  int len_len;

    21 +  int len_len = 0;

    22  

    23    if (der_len <= 0)

    24      return ASN1_GENERIC_ERROR;

    25 @@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d

    26  		  int *ret_len, unsigned char *str, int str_size,

    27  		  int *bit_len)

    28  {

    29 -  int len_len, len_byte;

    30 +  int len_len = 0, len_byte;

    31  

    32    if (der_len <= 0)

    33      return ASN1_GENERIC_ERROR;

    34 @@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d

    35    *ret_len = len_byte + len_len + 1;

    36    *bit_len = len_byte * 8 - der[len_len];

    37  

    38 +  if (*bit_len <= 0)

    39 +    return ASN1_DER_ERROR;

    40 +

    41    if (str_size >= len_byte)

    42      memcpy (str, der + len_len + 1, len_byte);

    43    else