diff options
| author | Emilia Kasper <emilia@openssl.org> | 2015-05-12 19:00:30 +0200 |
|---|---|---|
| committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-22 00:14:30 +0200 |
| commit | 35b67e71c552e65e2a7bdd2af7cb740e83490a62 (patch) | |
| tree | 21a9128e44b4310aa50cf495c3eac01cec65c4ff | |
| parent | 8fe0c7fba9bc1ae9289afd8c42d94422c08311c5 (diff) | |
| download | replicant_openssl-35b67e71c552e65e2a7bdd2af7cb740e83490a62.zip replicant_openssl-35b67e71c552e65e2a7bdd2af7cb740e83490a62.tar.gz replicant_openssl-35b67e71c552e65e2a7bdd2af7cb740e83490a62.tar.bz2 | |
PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | crypto/pkcs7/pk7_doit.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 77fda3b..a8e9e5b 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -439,12 +439,19 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) switch (i) { case NID_pkcs7_signed: + /* + * p7->d.sign->contents is a PKCS7 structure consisting of a contentType + * field and optional content. + * data_body is NULL if that structure has no (=detached) content + * or if the contentType is wrong (i.e., not "data"). + */ data_body=PKCS7_get_octet_string(p7->d.sign->contents); md_sk=p7->d.sign->md_algs; break; case NID_pkcs7_signedAndEnveloped: rsk=p7->d.signed_and_enveloped->recipientinfo; md_sk=p7->d.signed_and_enveloped->md_algs; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body=p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); @@ -457,6 +464,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) case NID_pkcs7_enveloped: rsk=p7->d.enveloped->recipientinfo; enc_alg=p7->d.enveloped->enc_data->algorithm; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body=p7->d.enveloped->enc_data->enc_data; evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) @@ -470,6 +478,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) goto err; } + /* Detached content must be supplied via in_bio instead. */ + if (data_body == NULL && in_bio == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + goto err; + } + /* We will be checking the signature */ if (md_sk != NULL) { @@ -626,7 +640,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } #if 1 - if (PKCS7_is_detached(p7) || (in_bio != NULL)) + if (in_bio != NULL) { bio=in_bio; } |