diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2016-08-15 16:52:21 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2016-08-16 00:27:10 +0100 |
commit | 66bcba145740e4f1210499ba6e5033035a2a4647 (patch) | |
tree | 928a295acb74b39823d9aa8fa77b305943cbc338 /crypto/pem | |
parent | 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa (diff) | |
download | openssl-new-66bcba145740e4f1210499ba6e5033035a2a4647.tar.gz |
Limit reads in do_b2i_bio()
Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.
Thanks to Shi Lei for reporting this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/pem')
-rw-r--r-- | crypto/pem/pvkfmt.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 3a27f2d7fc..416bfc2a47 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -66,6 +66,9 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r) # define MS_KEYTYPE_KEYX 0x1 # define MS_KEYTYPE_SIGN 0x2 +/* Maximum length of a blob after header */ +# define BLOB_MAX_LENGTH 102400 + /* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */ # define MS_PVKMAGIC 0xb0b5f11eL /* Salt length for PVK files */ @@ -211,6 +214,10 @@ static EVP_PKEY *do_b2i_bio(BIO *in, int ispub) return NULL; length = blob_length(bitlen, isdss, ispub); + if (length > BLOB_MAX_LENGTH) { + PEMerr(PEM_F_DO_B2I_BIO, PEM_R_HEADER_TOO_LONG); + return NULL; + } buf = OPENSSL_malloc(length); if (buf == NULL) { PEMerr(PEM_F_DO_B2I_BIO, ERR_R_MALLOC_FAILURE); |