yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch - openbmc/openbmc - Gitiles

 From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
 From: "Dr. Stephen Henson" <steve@openssl.org>
 Date: Tue, 10 Nov 2015 19:03:07 +0000
 Subject: [PATCH] Fix leak with ASN.1 combine.

 When parsing a combined structure pass a flag to the decode routine
 so on error a pointer to the parent structure is not zeroed as
 this will leak any additional components in the parent.

 This can leak memory in any application parsing PKCS#7 or CMS structures.

 CVE-2015-3195.

 Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
 libFuzzer.

 PR#4131

 Reviewed-by: Richard Levitte <levitte@openssl.org>

 Upstream-Status: Backport

 This patch was imported from
 https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d

 Signed-off-by: Armin Kuster <akuster@mvista.com>

 ---
  crypto/asn1/tasn_dec.c | 7 +++++--
  1 file changed, 5 insertions(+), 2 deletions(-)

 diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
 index febf605..9256049 100644
 --- a/crypto/asn1/tasn_dec.c
 +++ b/crypto/asn1/tasn_dec.c
 @@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
      int otag;
      int ret = 0;
      ASN1_VALUE **pchptr, *ptmpval;
 +    int combine = aclass & ASN1_TFLG_COMBINE;
 +    aclass &= ~ASN1_TFLG_COMBINE;
      if (!pval)
          return 0;
      if (aux && aux->asn1_cb)
 @@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
   auxerr:
      ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
   err:
 -    ASN1_item_ex_free(pval, it);
 +    if (combine == 0)
 +        ASN1_item_ex_free(pval, it);
      if (errtt)
          ERR_add_error_data(4, "Field=", errtt->field_name,
                             ", Type=", it->sname);
 @@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
      } else {
          /* Nothing special */
          ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
 -                               -1, 0, opt, ctx);
 +                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
          if (!ret) {
              ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
              goto err;
 --
 2.3.5
	From cc598f321fbac9c04da5766243ed55d55948637d Mon Sep 17 00:00:00 2001
	From: "Dr. Stephen Henson" <steve@openssl.org>
	Date: Tue, 10 Nov 2015 19:03:07 +0000
	Subject: [PATCH] Fix leak with ASN.1 combine.

	When parsing a combined structure pass a flag to the decode routine
	so on error a pointer to the parent structure is not zeroed as
	this will leak any additional components in the parent.

	This can leak memory in any application parsing PKCS#7 or CMS structures.

	CVE-2015-3195.

	Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
	libFuzzer.

	PR#4131

	Reviewed-by: Richard Levitte <levitte@openssl.org>

	Upstream-Status: Backport

	This patch was imported from
	https://git.openssl.org/?p=openssl.git;a=commit;h=cc598f321fbac9c04da5766243ed55d55948637d

	Signed-off-by: Armin Kuster <akuster@mvista.com>

	---
	crypto/asn1/tasn_dec.c \| 7 +++++--
	1 file changed, 5 insertions(+), 2 deletions(-)

	diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
	index febf605..9256049 100644
	--- a/crypto/asn1/tasn_dec.c
	+++ b/crypto/asn1/tasn_dec.c
	@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
	int otag;
	int ret = 0;
	ASN1_VALUE *pchptr, ptmpval;
	+ int combine = aclass & ASN1_TFLG_COMBINE;
	+ aclass &= ~ASN1_TFLG_COMBINE;
	if (!pval)
	return 0;
	if (aux && aux->asn1_cb)
	@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE pval, const unsigned char in, long len,
	auxerr:
	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
	err:
	- ASN1_item_ex_free(pval, it);
	+ if (combine == 0)
	+ ASN1_item_ex_free(pval, it);
	if (errtt)
	ERR_add_error_data(4, "Field=", errtt->field_name,
	", Type=", it->sname);
	@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
	} else {
	/* Nothing special */
	ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
	- -1, 0, opt, ctx);
	+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
	if (!ret) {
	ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
	goto err;
	--
	2.3.5