kumquat-buildroot/package/cryptopp/0001-Fix-possible-DoS-in-ASN.1-decoders-CVE-2016-9939.patch
Peter Korsgaard 9f57959147 cryptopp: fixup DOS newlines in CVE-2016-9939 patch
The patch did contain the correct newlines, but they got stripped by
patchwork so now the patch no longer applies.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-12-29 00:01:54 +01:00

70 lines
1.9 KiB
Diff

From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
From: Gergely Nagy <ngg@tresorit.com>
Date: Wed, 14 Dec 2016 13:19:01 +0100
Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
asn.cpp | 10 ++++++++++
asn.h | 2 ++
2 files changed, 12 insertions(+)
diff --git a/asn.cpp b/asn.cpp
index 297ff01..2e923ef 100644
--- a/asn.cpp
+++ b/asn.cpp
@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
size_t bc;
if (!BERLengthDecode(bt, bc))
BERDecodeError();
+ if (bc > bt.MaxRetrievable())
+ BERDecodeError();
str.New(bc);
if (bc != bt.Get(str, bc))
@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
size_t bc;
if (!BERLengthDecode(bt, bc))
BERDecodeError();
+ if (bc > bt.MaxRetrievable())
+ BERDecodeError();
bt.TransferTo(str, bc);
return bc;
@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
size_t bc;
if (!BERLengthDecode(bt, bc))
BERDecodeError();
+ if (bc > bt.MaxRetrievable())
+ BERDecodeError();
SecByteBlock temp(bc);
if (bc != bt.Get(temp, bc))
@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
size_t bc;
if (!BERLengthDecode(bt, bc))
BERDecodeError();
+ if (bc == 0)
+ BERDecodeError();
+ if (bc > bt.MaxRetrievable())
+ BERDecodeError();
byte unused;
if (!bt.Get(unused))
diff --git a/asn.h b/asn.h
index ed9de52..33f0dd0 100644
--- a/asn.h
+++ b/asn.h
@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
bool definite = BERLengthDecode(in, bc);
if (!definite)
BERDecodeError();
+ if (bc > in.MaxRetrievable())
+ BERDecodeError();
SecByteBlock buf(bc);
--
2.10.2