openssl/sme8/openssl-fips-0.9.8e-cve-2014-3508.patch

diff -up openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling openssl-fips-0.9.8e/crypto/asn1/a_object.c
--- openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling     2006-02-21 02:00:47.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/asn1/a_object.c  2014-08-08 11:41:54.998379046 +0200
@@ -284,12 +284,35 @@ err:
                ASN1_OBJECT_free(ret);
        return(NULL);
 }
+
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
             long len)
        {
        ASN1_OBJECT *ret=NULL;
        const unsigned char *p;
-       int i;
+       int i, length;
+
+       /* Sanity check OID encoding.
+        * Need at least one content octet.
+        * MSB must be clear in the last octet.
+        * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
+        */
+       if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
+           p[len - 1] & 0x80)
+               {
+               ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
+               return NULL;
+               }
+       /* Now 0 < len <= INT_MAX, so the cast is safe. */
+       length = (int)len;
+       for (i = 0; i < length; i++, p++)
+               {
+               if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
+                       {
+                       ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
+                       return NULL;
+                       }
+               }
 
        /* only the ASN1_OBJECTs from the 'table' will have values
         * for ->sn or ->ln */
@@ -301,20 +324,20 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT
        else    ret=(*a);
 
        p= *pp;
-       if ((ret->data == NULL) || (ret->length < len))
+       if ((ret->data == NULL) || (ret->length < length))
                {
                if (ret->data != NULL) OPENSSL_free(ret->data);
-               ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
+               ret->data=(unsigned char *)OPENSSL_malloc(length);
                ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
                if (ret->data == NULL)
                        { i=ERR_R_MALLOC_FAILURE; goto err; }
                }
-       memcpy(ret->data,p,(int)len);
-       ret->length=(int)len;
+       memcpy(ret->data,p,length);
+       ret->length=length;
        ret->sn=NULL;
        ret->ln=NULL;
        /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-       p+=len;
+       p+=length;
 
        if (a != NULL) (*a)=ret;
        *pp=p;
diff -up openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling openssl-fips-0.9.8e/crypto/objects/obj_dat.c
--- openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling   2006-02-15 16:03:47.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/objects/obj_dat.c        2014-08-08 11:36:22.487886979 +0200
@@ -443,11 +443,12 @@ int OBJ_obj2txt(char *buf, int buf_len,
        unsigned char *p;
        char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
 
-       if ((a == NULL) || (a->data == NULL)) {
-               buf[0]='\0';
-               return(0);
-       }
+       /* Ensure that, at every state, |buf| is NUL-terminated. */
+       if (buf && buf_len > 0)
+               buf[0] = '\0';
 
+       if ((a == NULL) || (a->data == NULL))
+               return(0);
 
        if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
                {
@@ -523,9 +524,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
                                i=(int)(l/40);
                                l-=(long)(i*40);
                                }
-                       if (buf && (buf_len > 0))
+                       if (buf && (buf_len > 1))
                                {
                                *buf++ = i + '0';
+                               *buf = '\0';
                                buf_len--;
                                }
                        n++;
@@ -540,9 +542,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
                        i = strlen(bndec);
                        if (buf)
                                {
-                               if (buf_len > 0)
+                               if (buf_len > 1)
                                        {
                                        *buf++ = '.';
+                                       *buf = '\0';
                                        buf_len--;
                                        }
                                BUF_strlcpy(buf,bndec,buf_len);
@@ -782,4 +785,3 @@ err:
        OPENSSL_free(buf);
        return(ok);
        }
-
1	charliebrady	1.1	diff -up openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling openssl-fips-0.9.8e/crypto/asn1/a_object.c
2			--- openssl-fips-0.9.8e/crypto/asn1/a_object.c.oid-handling 2006-02-21 02:00:47.000000000 +0100
3			+++ openssl-fips-0.9.8e/crypto/asn1/a_object.c 2014-08-08 11:41:54.998379046 +0200
4			@@ -284,12 +284,35 @@ err:
5			ASN1_OBJECT_free(ret);
6			return(NULL);
7			}
8			+
9			ASN1_OBJECT c2i_ASN1_OBJECT(ASN1_OBJECT a, const unsigned char *pp,
10			long len)
11			{
12			ASN1_OBJECT *ret=NULL;
13			const unsigned char *p;
14			- int i;
15			+ int i, length;
16			+
17			+ /* Sanity check OID encoding.
18			+ * Need at least one content octet.
19			+ * MSB must be clear in the last octet.
20			+ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
21			+ */
22			+ if (len <= 0 \|\| len > INT_MAX \|\| pp == NULL \|\| (p = *pp) == NULL \|\|
23			+ p[len - 1] & 0x80)
24			+ {
25			+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
26			+ return NULL;
27			+ }
28			+ /* Now 0 < len <= INT_MAX, so the cast is safe. */
29			+ length = (int)len;
30			+ for (i = 0; i < length; i++, p++)
31			+ {
32			+ if (*p == 0x80 && (!i \|\| !(p[-1] & 0x80)))
33			+ {
34			+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_DECODING_ERROR);
35			+ return NULL;
36			+ }
37			+ }
38
39			/* only the ASN1_OBJECTs from the 'table' will have values
40			* for ->sn or ->ln */
41			@@ -301,20 +324,20 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT
42			else ret=(*a);
43
44			p= *pp;
45			- if ((ret->data == NULL) \|\| (ret->length < len))
46			+ if ((ret->data == NULL) \|\| (ret->length < length))
47			{
48			if (ret->data != NULL) OPENSSL_free(ret->data);
49			- ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
50			+ ret->data=(unsigned char *)OPENSSL_malloc(length);
51			ret->flags\|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
52			if (ret->data == NULL)
53			{ i=ERR_R_MALLOC_FAILURE; goto err; }
54			}
55			- memcpy(ret->data,p,(int)len);
56			- ret->length=(int)len;
57			+ memcpy(ret->data,p,length);
58			+ ret->length=length;
59			ret->sn=NULL;
60			ret->ln=NULL;
61			/* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
62			- p+=len;
63			+ p+=length;
64
65			if (a != NULL) (*a)=ret;
66			*pp=p;
67			diff -up openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling openssl-fips-0.9.8e/crypto/objects/obj_dat.c
68			--- openssl-fips-0.9.8e/crypto/objects/obj_dat.c.oid-handling 2006-02-15 16:03:47.000000000 +0100
69			+++ openssl-fips-0.9.8e/crypto/objects/obj_dat.c 2014-08-08 11:36:22.487886979 +0200
70			@@ -443,11 +443,12 @@ int OBJ_obj2txt(char *buf, int buf_len,
71			unsigned char *p;
72			char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
73
74			- if ((a == NULL) \|\| (a->data == NULL)) {
75			- buf[0]='\0';
76			- return(0);
77			- }
78			+ /* Ensure that, at every state, \|buf\| is NUL-terminated. */
79			+ if (buf && buf_len > 0)
80			+ buf[0] = '\0';
81
82			+ if ((a == NULL) \|\| (a->data == NULL))
83			+ return(0);
84
85			if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
86			{
87			@@ -523,9 +524,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
88			i=(int)(l/40);
89			l-=(long)(i*40);
90			}
91			- if (buf && (buf_len > 0))
92			+ if (buf && (buf_len > 1))
93			{
94			*buf++ = i + '0';
95			+ *buf = '\0';
96			buf_len--;
97			}
98			n++;
99			@@ -540,9 +542,10 @@ int OBJ_obj2txt(char *buf, int buf_len,
100			i = strlen(bndec);
101			if (buf)
102			{
103			- if (buf_len > 0)
104			+ if (buf_len > 1)
105			{
106			*buf++ = '.';
107			+ *buf = '\0';
108			buf_len--;
109			}
110			BUF_strlcpy(buf,bndec,buf_len);
111			@@ -782,4 +785,3 @@ err:
112			OPENSSL_free(buf);
113			return(ok);
114			}
115			-