aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/openssl/crypto/asn1/tasn_dec.c
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-12-08 19:10:40 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-12-08 19:10:40 +0000
commite30782bbdad59b00537d9c44c17e3fb5b3cec95b (patch)
treedc92937712ecf800c648164f7f8ac9e6aecd6f19 /crypto/openssl/crypto/asn1/tasn_dec.c
parentc944cb7416ea291d56989168890ec13ff98465d0 (diff)
downloadsrc-releng/12.1.tar.gz
src-releng/12.1.zip
Fix OpenSSL NULL pointer de-reference.releng/12.1
Approved by: so Security: FreeBSD-SA-20:33.openssl Security: CVE-2020-1971
Notes
Notes: svn path=/releng/12.1/; revision=368463
Diffstat (limited to 'crypto/openssl/crypto/asn1/tasn_dec.c')
-rw-r--r--crypto/openssl/crypto/asn1/tasn_dec.c19
1 files changed, 19 insertions, 0 deletions
diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c
index c2a521ed5180..05a5482ccf4e 100644
--- a/crypto/openssl/crypto/asn1/tasn_dec.c
+++ b/crypto/openssl/crypto/asn1/tasn_dec.c
@@ -182,6 +182,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
tag, aclass, opt, ctx);
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
@@ -199,6 +208,7 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err;
}
+
/* Check tag matches bit map */
if (!(ASN1_tag2bit(otag) & it->utype)) {
/* If OPTIONAL, assume this is OK */
@@ -215,6 +225,15 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
if (*pval) {