diff options
| author |   jsing <jsing@openbsd.org> | 2019-04-10 16:23:55 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2019-04-10 16:23:55 +0000 |
| commit | 14f93c9cdea0a6bdff09a14f7097c5bb1885fdef (patch) | |
| tree | 210a81ebb36b3467562278e2723669289e559f4f /lib/libcrypto/asn1 | |
| parent | MPO cable names were swapped (diff) | |
| download | wireguard-openbsd-14f93c9cdea0a6bdff09a14f7097c5bb1885fdef.tar.xz wireguard-openbsd-14f93c9cdea0a6bdff09a14f7097c5bb1885fdef.zip | |
Avoid an overread caused by d2i_PrivateKey().
There are cases where the old_priv_decode() function can fail but consume
bytes. This will result in the pp pointer being advanced, which causes
d2i_PKCS8_PRIV_KEY_INFO() to be called with an advanced pointer and
incorrect length.
Fixes oss-fuzz #13803 and #14142.
ok deraadt@ tb@
Diffstat (limited to 'lib/libcrypto/asn1')
| -rw-r--r-- | lib/libcrypto/asn1/d2i_pr.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libcrypto/asn1/d2i_pr.c b/lib/libcrypto/asn1/d2i_pr.c index a657a1f3cd1..e450dee12fb 100644 --- a/lib/libcrypto/asn1/d2i_pr.c +++ b/lib/libcrypto/asn1/d2i_pr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d2i_pr.c,v 1.16 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: d2i_pr.c,v 1.17 2019/04/10 16:23:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,6 +76,7 @@ EVP_PKEY * d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { + const unsigned char *p = *pp; EVP_PKEY *ret; if ((a == NULL) || (*a == NULL)) { @@ -100,6 +101,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) !ret->ameth->old_priv_decode(ret, pp, length)) { if (ret->ameth->priv_decode) { PKCS8_PRIV_KEY_INFO *p8 = NULL; + *pp = p; /* XXX */ p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length); if (!p8) goto err; |