diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-03-09 23:11:45 +0000 |
---|---|---|
committer | Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> | 2015-10-22 01:01:12 +0200 |
commit | ad943c8df0520cc314ac5c875306ccf01c0747c9 (patch) | |
tree | 40372b3286602d9bef15b7285ae750f1b716b48a | |
parent | 843e826def0aa23258690c39aa03fc2862516842 (diff) | |
download | replicant_openssl-ad943c8df0520cc314ac5c875306ccf01c0747c9.zip replicant_openssl-ad943c8df0520cc314ac5c875306ccf01c0747c9.tar.gz replicant_openssl-ad943c8df0520cc314ac5c875306ccf01c0747c9.tar.bz2 |
Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
CVE-2015-0286
Reviewed-by: Richard Levitte <levitte@openssl.org>
-rw-r--r-- | crypto/asn1/a_type.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index a45d2f9..7c4fa4d 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) case V_ASN1_OBJECT: result = OBJ_cmp(a->value.object, b->value.object); break; + case V_ASN1_BOOLEAN: + result = a->value.boolean - b->value.boolean; + break; case V_ASN1_NULL: result = 0; /* They do not have content. */ break; |