Check for errors in BN_bn2dec()
If an oversize BIGNUM is presented to BN_bn2dec() it can cause BN_div_word() to fail and not reduce the value of 't' resulting in OOB writes to the bn_data buffer and eventually crashing. Fix by checking return value of BN_div_word() and checking writes don't overflow buffer. Thanks to Shi Lei for reporting this bug. CVE-2016-2182 Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Dr. Stephen Henson
parent
40c60b0d73
commit
07bed46f33
1 changed files with 7 additions and 1 deletions
|
|
@ -62,6 +62,7 @@ char *BN_bn2dec(const BIGNUM *a)
|
|||
char *p;
|
||||
BIGNUM *t = NULL;
|
||||
BN_ULONG *bn_data = NULL, *lp;
|
||||
int bn_data_num;
|
||||
|
||||
/*-
|
||||
* get an upper bound for the length of the decimal integer
|
||||
|
|
@ -71,7 +72,8 @@ char *BN_bn2dec(const BIGNUM *a)
|
|||
*/
|
||||
i = BN_num_bits(a) * 3;
|
||||
num = (i / 10 + i / 1000 + 1) + 1;
|
||||
bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
|
||||
bn_data_num = num / BN_DEC_NUM + 1;
|
||||
bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
|
||||
buf = OPENSSL_malloc(num + 3);
|
||||
if ((buf == NULL) || (bn_data == NULL)) {
|
||||
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
|
||||
|
|
@ -93,7 +95,11 @@ char *BN_bn2dec(const BIGNUM *a)
|
|||
i = 0;
|
||||
while (!BN_is_zero(t)) {
|
||||
*lp = BN_div_word(t, BN_DEC_CONV);
|
||||
if (*lp == (BN_ULONG)-1)
|
||||
goto err;
|
||||
lp++;
|
||||
if (lp - bn_data >= bn_data_num)
|
||||
goto err;
|
||||
}
|
||||
lp--;
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue