root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Ensure that we consume all the data when decoding an SPKI 

If we are decoding a SubjectPublicKeyInfo structure then we must use all
of the data and must not have bytes "left over".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
This commit is contained in:
Matt Caswell 2021-05-27 16:47:14 +01:00
parent 2b049e933a
commit f8da1d8005
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
crypto/x509/x_pubkey.c
View File

@ -161,6 +161,7 @@ static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval,
if (ret <= 0 && !pubkey->flag_force_legacy) { if (ret <= 0 && !pubkey->flag_force_legacy) {
const unsigned char *p; const unsigned char *p;
char txtoidname[OSSL_MAX_NAME_SIZE]; char txtoidname[OSSL_MAX_NAME_SIZE];
size_t slen = publen;
/* /*
* The decoders don't know how to handle anything other than Universal * The decoders don't know how to handle anything other than Universal
@ -190,9 +191,19 @@ static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval,
pubkey->propq)) != NULL) pubkey->propq)) != NULL)
/* /*
* As said higher up, we're being opportunistic. In other words, * As said higher up, we're being opportunistic. In other words,
* we don't care about what the return value signals. * we don't care if we fail.
*/ */
OSSL_DECODER_from_data(dctx, &p, NULL); if (OSSL_DECODER_from_data(dctx, &p, &slen)) {
if (slen != 0) {
/*
* If we successfully decoded then we *must* consume all the
* bytes.
*/
ERR_clear_last_mark();
ERR_raise(ERR_LIB_ASN1, EVP_R_DECODE_ERROR);
goto end;
}
}
} }
ERR_pop_to_mark(); ERR_pop_to_mark();