diff options
author | bz <bz@FreeBSD.org> | 2012-05-03 15:25:11 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2012-05-03 15:25:11 +0000 |
commit | 48f59d28b651092680a3d14a183ef5b108f766c9 (patch) | |
tree | 308fed307a1a34ef05a861d58b6041099cb0b373 /crypto/openssl/crypto/buffer | |
parent | fa4352cd7f9cb0b62893271a3cdaba1079e3013c (diff) | |
download | FreeBSD-src-48f59d28b651092680a3d14a183ef5b108f766c9.zip FreeBSD-src-48f59d28b651092680a3d14a183ef5b108f766c9.tar.gz |
Fix multiple OpenSSL vulnerabilities.
Security: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109
Security: CVE-2012-0884, CVE-2012-2110
Security: FreeBSD-SA-12:01.openssl
Approved by: so (bz,simon)
Diffstat (limited to 'crypto/openssl/crypto/buffer')
-rw-r--r-- | crypto/openssl/crypto/buffer/buffer.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c index b3e9477..0335d48 100644 --- a/crypto/openssl/crypto/buffer/buffer.c +++ b/crypto/openssl/crypto/buffer/buffer.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include <openssl/buffer.h> +/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That + * function is applied in several functions in this file and this limit ensures + * that the result fits in an int. */ +#define LIMIT_BEFORE_EXPANSION 0x5ffffffc + BUF_MEM *BUF_MEM_new(void) { BUF_MEM *ret; @@ -94,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len) char *ret; unsigned int n; + if (len < 0) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } if (str->length >= len) { str->length=len; @@ -105,6 +115,12 @@ int BUF_MEM_grow(BUF_MEM *str, int len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); @@ -130,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len) char *ret; unsigned int n; + if (len < 0) + { + BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE); + return 0; + } if (str->length >= len) { memset(&str->data[len],0,str->length-len); @@ -142,6 +163,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); |