projects / BearSSL / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2893441)
Fixed buffer overflow in private key decoding (wrong buffer length used in size check).
authorThomas Pornin <pornin@bolet.org>
Sat, 20 Jul 2019 14:36:36 +0000 (10:36 -0400)
committerThomas Pornin <pornin@bolet.org>
Sat, 20 Jul 2019 14:36:36 +0000 (10:36 -0400)
src/x509/skey_decoder.c patch | blob | history
src/x509/skey_decoder.t0 patch | blob | history

diff --git a/src/x509/skey_decoder.c b/src/x509/skey_decoder.c
index f4e43e7..9e285d7 100644 (file)
--- a/src/x509/skey_decoder.c
+++ b/src/x509/skey_decoder.c
@@ -155,7 +155,7 @@ static const unsigned char t0_codeblock[] = {
        0x02, 0x06, 0x1E, 0x00, 0x00, 0x19, 0x19, 0x00, 0x00, 0x01, 0x0B, 0x00,
        0x00, 0x01, 0x00, 0x20, 0x14, 0x06, 0x08, 0x01, 0x01, 0x21, 0x20, 0x22,
        0x20, 0x04, 0x75, 0x13, 0x00, 0x00, 0x01,
        0x02, 0x06, 0x1E, 0x00, 0x00, 0x19, 0x19, 0x00, 0x00, 0x01, 0x0B, 0x00,
        0x00, 0x01, 0x00, 0x20, 0x14, 0x06, 0x08, 0x01, 0x01, 0x21, 0x20, 0x22,
        0x20, 0x04, 0x75, 0x13, 0x00, 0x00, 0x01,
-       T0_INT2(3 * BR_X509_BUFSIZE_KEY), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
+       T0_INT2(3 * BR_X509_BUFSIZE_SIG), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
        0x7F, 0x54, 0x57, 0x01, 0x02, 0x3E, 0x55, 0x01, 0x01, 0x0E, 0x06, 0x02,
        0x30, 0x16, 0x57, 0x01, 0x02, 0x19, 0x0D, 0x06, 0x06, 0x13, 0x3B, 0x44,
        0x32, 0x04, 0x1C, 0x01, 0x04, 0x19, 0x0D, 0x06, 0x08, 0x13, 0x3B, 0x01,
        0x7F, 0x54, 0x57, 0x01, 0x02, 0x3E, 0x55, 0x01, 0x01, 0x0E, 0x06, 0x02,
        0x30, 0x16, 0x57, 0x01, 0x02, 0x19, 0x0D, 0x06, 0x06, 0x13, 0x3B, 0x44,
        0x32, 0x04, 0x1C, 0x01, 0x04, 0x19, 0x0D, 0x06, 0x08, 0x13, 0x3B, 0x01,
diff --git a/src/x509/skey_decoder.t0 b/src/x509/skey_decoder.t0
index 5b59421..f00e614 100644 (file)
--- a/src/x509/skey_decoder.t0
+++ b/src/x509/skey_decoder.t0
@@ -80,7 +80,7 @@ cc: read-blob-inner ( addr len -- addr len ) {
 
 \ Get the length of the key_data buffer.
 : len-key_data
 
 \ Get the length of the key_data buffer.
 : len-key_data
-       CX 0 8191 { 3 * BR_X509_BUFSIZE_KEY } ;
+       CX 0 8191 { 3 * BR_X509_BUFSIZE_SIG } ;
 
 \ Get the address and length for the key_data buffer.
 : addr-len-key_data ( -- addr len )
 
 \ Get the address and length for the key_data buffer.
 : addr-len-key_data ( -- addr len )
The BearSSL library and tools.