Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/libtasn1/patches/libtasn1-04-cve-2014-3469.patch
author Mike Sullivan <Mike.Sullivan@Oracle.COM>
Thu, 12 Jan 2017 23:01:10 -0800
changeset 7573 327652931f2a
parent 4723 4193dfeb0e39
permissions -rw-r--r--
Added tag s12-116 for changeset 61e40bdebd78

Source:
Internal

Info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469
The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 
before 3.6 allows context-dependent attackers to cause a denial of service 
(NULL pointer dereference and crash) via a NULL value in an ivalue argument.

Status:
Need to determine if this patch has been sent upstream.

--- libtasn1-2.8/lib/element.c.orig	2014-06-05 10:41:52.955725412 +0530
+++ libtasn1-2.8/lib/element.c	2014-06-05 11:09:52.177695875 +0530
@@ -113,8 +113,11 @@ _asn1_convert_integer (const char *value
     /* VALUE_OUT is too short to contain the value conversion */
     return ASN1_MEM_ERROR;
 
-  for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+  if (value_out != NULL)
+  {
+    for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
     value_out[k2 - k] = val[k2];
+  }
 
 #if 0
   printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
@@ -622,7 +625,8 @@ asn1_write_value (ASN1_TYPE node_root, c
 	if (ptr_size < data_size) { \
 		return ASN1_MEM_ERROR; \
 	} else { \
-		memcpy( ptr, data, data_size); \
+		if (ptr && data_size > 0) \
+			memcpy( ptr, data, data_size); \
 	}
 
 #define PUT_STR_VALUE( ptr, ptr_size, data) \
@@ -631,36 +635,39 @@ asn1_write_value (ASN1_TYPE node_root, c
 		return ASN1_MEM_ERROR; \
 	} else { \
 		/* this strcpy is checked */ \
-		strcpy(ptr, data); \
+		if (ptr) { \
+			strcpy(ptr, data); \
+		} \
 	}
 
 #define ADD_STR_VALUE( ptr, ptr_size, data) \
-	*len = (int) strlen(data) + 1; \
-	if (ptr_size < (int) strlen(ptr)+(*len)) { \
+	*len += strlen(data); \
+	if (ptr_size < (int) *len) { \
+		(*len)++; \
 		return ASN1_MEM_ERROR; \
 	} else { \
 		/* this strcat is checked */ \
-		strcat(ptr, data); \
+		if (ptr) strcat (ptr, data); \
 	}
-
 /**
  * asn1_read_value:
  * @root: pointer to a structure.
  * @name: the name of the element inside a structure that you want to read.
  * @ivalue: vector that will contain the element's content, must be a
- *   pointer to memory cells already allocated.
+ *   pointer to memory cells already allocated (may be %NULL).
  * @len: number of bytes of *value: value[0]..value[len-1]. Initialy
  *   holds the sizeof value.
  *
  * Returns the value of one element inside a structure.
- *
- * If an element is OPTIONAL and the function "read_value" returns
+ * If an element is OPTIONAL and this returns
  * %ASN1_ELEMENT_NOT_FOUND, it means that this element wasn't present
  * in the der encoding that created the structure.  The first element
  * of a SEQUENCE_OF or SET_OF is named "?1". The second one "?2" and
  * so on.
  *
- * INTEGER: VALUE will contain a two's complement form integer.
+ * Note that there can be valid values with length zero. In these case
+ * this function will succeed and @len will be zero.
+ *
  *
  *            integer=-1  -> value[0]=0xFF , len=1.
  *            integer=1   -> value[0]=0x01 , len=1.
upstream/oracle/userland-gate