Fix ASN1_TYPE_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 (Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.) Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45 Reviewed-on: https://boringssl-review.googlesource.com/4048 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2015-03-19 22:03:10 +0300
committer: Adam Langley <agl@google.com> 2015-03-19 22:48:41 +0300
commit: 7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 (patch)
tree: 08be7b70a247837b27e0ed981bbb6d40033a5c69 /crypto/asn1
parent: 61c0d4e8b210104f6e9575421411641d9fe87086 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 75a17d5c..fd3d5b11 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -125,6 +125,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
 	case V_ASN1_NULL:
 		result = 0;	/* They do not have content. */
 		break;
+	case V_ASN1_BOOLEAN:
+		result = a->value.boolean - b->value.boolean;
+		break;
 	case V_ASN1_INTEGER:
 	case V_ASN1_NEG_INTEGER:
 	case V_ASN1_ENUMERATED:
author	David Benjamin <davidben@chromium.org>	2015-03-19 22:03:10 +0300
committer	Adam Langley <agl@google.com>	2015-03-19 22:48:41 +0300
commit	7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 (patch)
tree	08be7b70a247837b27e0ed981bbb6d40033a5c69 /crypto/asn1
parent	61c0d4e8b210104f6e9575421411641d9fe87086 (diff)