| From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001 |
| From: "Dr. Stephen Henson" <steve@openssl.org> |
| Date: Tue, 10 Nov 2015 19:03:07 +0000 |
| Subject: [PATCH] Fix leak with ASN.1 combine. |
| |
| When parsing a combined structure pass a flag to the decode routine |
| so on error a pointer to the parent structure is not zeroed as |
| this will leak any additional components in the parent. |
| |
| This can leak memory in any application parsing PKCS#7 or CMS structures. |
| |
| CVE-2015-3195. |
| |
| Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using |
| libFuzzer. |
| |
| PR#4131 |
| |
| Reviewed-by: Richard Levitte <levitte@openssl.org> |
| |
| Upstream-Status: Backport |
| |
| This patch was imported from |
| https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d |
| |
| Signed-off-by: Armin Kuster <akuster@mvista.com> |
| |
| --- |
| crypto/asn1/tasn_dec.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c |
| index febf605..9256049 100644 |
| --- a/crypto/asn1/tasn_dec.c |
| +++ b/crypto/asn1/tasn_dec.c |
| @@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, |
| int otag; |
| int ret = 0; |
| ASN1_VALUE **pchptr, *ptmpval; |
| + int combine = aclass & ASN1_TFLG_COMBINE; |
| + aclass &= ~ASN1_TFLG_COMBINE; |
| if (!pval) |
| return 0; |
| if (aux && aux->asn1_cb) |
| @@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, |
| auxerr: |
| ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); |
| err: |
| - ASN1_item_ex_free(pval, it); |
| + if (combine == 0) |
| + ASN1_item_ex_free(pval, it); |
| if (errtt) |
| ERR_add_error_data(4, "Field=", errtt->field_name, |
| ", Type=", it->sname); |
| @@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, |
| } else { |
| /* Nothing special */ |
| ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), |
| - -1, 0, opt, ctx); |
| + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); |
| if (!ret) { |
| ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); |
| goto err; |
| -- |
| 2.3.5 |
| |