Skip to content

Commit a4aab71

Browse files
authored
Merge pull request #10861 from padelsbach/asn-integer-overflow-copy
Fix possible memcpy length overflow in wolfSSL_d2i_ASN1_INTEGER
2 parents a5dbbf8 + f842e33 commit a4aab71

2 files changed

Lines changed: 13 additions & 0 deletions

File tree

src/ssl_asn1.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1459,6 +1459,11 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a,
14591459
WOLFSSL_MSG("ASN.1 length not valid.");
14601460
err = 1;
14611461
}
1462+
/* Check that len + idx won't overflow a signed int */
1463+
if ((!err) && (len > INT_MAX - (int)idx)) {
1464+
WOLFSSL_MSG("ASN.1 length too large.");
1465+
err = 1;
1466+
}
14621467
/* Allocate a new ASN.1 INTEGER object. */
14631468
if ((!err) && ((ret = wolfSSL_ASN1_INTEGER_new()) == NULL)) {
14641469
err = 1;

tests/api/test_ossl_asn1.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,8 @@ int test_wolfSSL_d2i_ASN1_INTEGER(void)
434434
0xd2, 0x96, 0xdf, 0xd9, 0xd0, 0x4f, 0xad, 0xd7
435435
};
436436
static const byte garbageDer[] = {0xDE, 0xAD, 0xBE, 0xEF};
437+
/* Long-form length with INT_MAX content bytes for overflow testing */
438+
static const byte overflowLenDer[] = {0x02, 0x84, 0x7F, 0xFF, 0xFF, 0xFF};
437439

438440
static const ASN1IntTestVector testVectors[] = {
439441
{zeroDer, sizeof(zeroDer), 0},
@@ -464,6 +466,12 @@ int test_wolfSSL_d2i_ASN1_INTEGER(void)
464466
p = garbageDer;
465467
ExpectNull((a = wolfSSL_d2i_ASN1_INTEGER(&b, &p, sizeof(garbageDer))));
466468
ExpectNull(b);
469+
/* Only run on 64-bit systems where the `long` inSz param fits */
470+
if (LONG_MAX >= 0x80000005L) {
471+
p = overflowLenDer;
472+
ExpectNull((a = wolfSSL_d2i_ASN1_INTEGER(&b, &p, 0x80000005L)));
473+
ExpectNull(b);
474+
}
467475

468476
/* Check i2d error conditions */
469477
/* NULL input. */

0 commit comments

Comments
 (0)