diff options
author | David Benjamin <davidben@chromium.org> | 2015-03-19 22:03:10 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2015-03-19 22:48:41 +0300 |
commit | 7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11 (patch) | |
tree | 08be7b70a247837b27e0ed981bbb6d40033a5c69 /crypto/asn1 | |
parent | 61c0d4e8b210104f6e9575421411641d9fe87086 (diff) |
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
(Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.)
Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45
Reviewed-on: https://boringssl-review.googlesource.com/4048
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'crypto/asn1')
-rw-r--r-- | crypto/asn1/a_type.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 75a17d5c..fd3d5b11 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -125,6 +125,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) case V_ASN1_NULL: result = 0; /* They do not have content. */ break; + case V_ASN1_BOOLEAN: + result = a->value.boolean - b->value.boolean; + break; case V_ASN1_INTEGER: case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: |