rpms / openssl

Clone
Source Code
GIT

Blame SOURCES/openssl-1.0.1e-cve-2016-2109.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1c5d99a56e70d3f668fd69f148538c635dd990d6
  2.   SOURCES
  3.   openssl-1.0.1e-cve-2016-2109.patch
Blob History Raw
5fee79 
diff -up openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos openssl-1.0.1e/crypto/asn1/a_d2i_fp.c
5fee79 
--- openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos	2013-02-11 16:02:47.000000000 +0100
5fee79 
+++ openssl-1.0.1e/crypto/asn1/a_d2i_fp.c	2016-04-29 13:44:52.205538739 +0200
5fee79 
@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
5fee79 
 #endif
5fee79
5fee79 
 #define HEADER_SIZE   8
5fee79 
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
5fee79 
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
5fee79 
 	{
5fee79 
 	BUF_MEM *b;
5fee79 
@@ -230,6 +231,8 @@ static int asn1_d2i_read_bio(BIO *in, BU
5fee79 
 			want=c.slen;
5fee79 
 			if (want > (len-off))
5fee79 
 				{
5fee79 
+				size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
5fee79 
+
5fee79 
 				want-=(len-off);
5fee79 
 				if (want > INT_MAX /* BIO_read takes an int length */ ||
5fee79 
 					len+want < len)
5fee79 
@@ -237,24 +240,38 @@ static int asn1_d2i_read_bio(BIO *in, BU
5fee79 
 						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
5fee79 
 						goto err;
5fee79 
 						}
5fee79 
-				if (!BUF_MEM_grow_clean(b,len+want))
5fee79 
-					{
5fee79 
-					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
5fee79 
-					goto err;
5fee79 
-					}
5fee79 
 				while (want > 0)
5fee79 
 					{
5fee79 
-					i=BIO_read(in,&(b->data[len]),want);
5fee79 
-					if (i <= 0)
5fee79 
+					/*
5fee79 
+					 * Read content in chunks of increasing size
5fee79 
+					 * so we can return an error for EOF without
5fee79 
+					 * having to allocate the entire content length
5fee79 
+					 * in one go.
5fee79 
+					 */
5fee79 
+					size_t chunk = want > chunk_max ? chunk_max : want;
5fee79 
+
5fee79 
+					if (!BUF_MEM_grow_clean(b, len + chunk))
5fee79 
 						{
5fee79 
-						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
5fee79 
-						    ASN1_R_NOT_ENOUGH_DATA);
5fee79 
+						ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
5fee79 
 						goto err;
5fee79 
 						}
5fee79 
-					/* This can't overflow because
5fee79 
-					 * |len+want| didn't overflow. */
5fee79 
-					len+=i;
5fee79 
-					want-=i;
5fee79 
+					want -= chunk;
5fee79 
+					while (chunk > 0)
5fee79 
+						{
5fee79 
+						i = BIO_read(in, &(b->data[len]), chunk);
5fee79 
+						if (i <= 0)
5fee79 
+							{
5fee79 
+							ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
5fee79 
+								ASN1_R_NOT_ENOUGH_DATA);
5fee79 
+							goto err;
5fee79 
+							}
5fee79 
+						/* This can't overflow because
5fee79 
+						 * |len+want| didn't overflow. */
5fee79 
+						len += i;
5fee79 
+						chunk -= i;
5fee79 
+						}
5fee79 
+					if (chunk_max < INT_MAX/2)
5fee79 
+						chunk_max *= 2;
5fee79 
 					}
5fee79 
 				}
5fee79 
 			if (off + c.slen < off)

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation