diff options
author | Adam Langley <agl@google.com> | 2014-11-04 05:02:03 +0300 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2014-11-11 00:45:32 +0300 |
commit | 9398f168f96a1cd6e166309d77cbeca41ec0aea7 (patch) | |
tree | 37d1f14d65c7977f637387f495fbab1a51bc6fa9 /crypto/ec/ec_asn1.c | |
parent | 9f5a314d35e7eb8be36206f6903a818dfaf24eba (diff) |
Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey.
The old code implicitly relies on the ASN.1 code returning a \0-prefixed
buffer when the buffer length is 0. Change this to verify explicitly
that the ASN.1 string has positive length.
(Imported from upstream's 7f7c05ca638c3cc6d261961fae439cd91e3c1d27)
Change-Id: Icc6c44b874bdcb02374016a36d209830d6162a8a
Diffstat (limited to 'crypto/ec/ec_asn1.c')
-rw-r--r-- | crypto/ec/ec_asn1.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index add2f53d..e7d96e11 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -352,11 +352,16 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const uint8_t **in, long len) { if (priv_key->publicKey) { const uint8_t *pub_oct; - size_t pub_oct_len; + int pub_oct_len; pub_oct = M_ASN1_STRING_data(priv_key->publicKey); pub_oct_len = M_ASN1_STRING_length(priv_key->publicKey); - /* save the point conversion form */ + /* The first byte (the point conversion form) must be present. */ + if (pub_oct_len <= 0) { + OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, EC_R_BUFFER_TOO_SMALL); + goto err; + } + /* Save the point conversion form. */ ret->conv_form = (point_conversion_form_t)(pub_oct[0] & ~0x01); if (!EC_POINT_oct2point(ret->group, ret->pub_key, pub_oct, pub_oct_len, NULL)) { |