|
1 Source: |
|
2 Internal |
|
3 |
|
4 Info: |
|
5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 |
|
6 The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly |
|
7 report an error when a negative bit length is identified, which allows |
|
8 context-dependent attackers to cause out-of-bounds access via crafted ASN.1 |
|
9 data. |
|
10 |
|
11 Status: |
|
12 Need to determine if this patch has been sent upstream. |
|
13 |
|
14 --- libtasn1-2.8/lib/decoding.c.orig 2014-06-05 10:36:51.728076396 +0530 |
|
15 +++ libtasn1-2.8/lib/decoding.c 2014-06-05 10:39:39.072295803 +0530 |
|
16 @@ -214,7 +214,7 @@ asn1_get_octet_der (const unsigned char |
|
17 int *ret_len, unsigned char *str, int str_size, |
|
18 int *str_len) |
|
19 { |
|
20 - int len_len; |
|
21 + int len_len = 0; |
|
22 |
|
23 if (der_len <= 0) |
|
24 return ASN1_GENERIC_ERROR; |
|
25 @@ -335,7 +335,7 @@ asn1_get_bit_der (const unsigned char *d |
|
26 int *ret_len, unsigned char *str, int str_size, |
|
27 int *bit_len) |
|
28 { |
|
29 - int len_len, len_byte; |
|
30 + int len_len = 0, len_byte; |
|
31 |
|
32 if (der_len <= 0) |
|
33 return ASN1_GENERIC_ERROR; |
|
34 @@ -346,6 +346,9 @@ asn1_get_bit_der (const unsigned char *d |
|
35 *ret_len = len_byte + len_len + 1; |
|
36 *bit_len = len_byte * 8 - der[len_len]; |
|
37 |
|
38 + if (*bit_len <= 0) |
|
39 + return ASN1_DER_ERROR; |
|
40 + |
|
41 if (str_size >= len_byte) |
|
42 memcpy (str, der + len_len + 1, len_byte); |
|
43 else |