mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
asn1: fix out-of-bounds read in decoding constructed objects
* OpenSSL::ASN1.{decode,decode_all,traverse}: have a bug of
out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the
correct available length to ossl_asn1_decode() when decoding the
inner components of a constructed object. This can cause
out-of-bounds read if a crafted input given.
Reference: https://hackerone.com/reports/170316
1648afef33
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59800 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
842d5cff6a
commit
1433d4337c
4 changed files with 43 additions and 8 deletions
13
ChangeLog
13
ChangeLog
|
|
@ -1,3 +1,16 @@
|
|||
Sat Sep 9 23:05:31 2017 Kazuki Yamaguchi <k@rhe.jp>
|
||||
|
||||
asn1: fix out-of-bounds read in decoding constructed objects
|
||||
|
||||
* OpenSSL::ASN1.{decode,decode_all,traverse}: have a bug of
|
||||
out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the
|
||||
correct available length to ossl_asn1_decode() when decoding the
|
||||
inner components of a constructed object. This can cause
|
||||
out-of-bounds read if a crafted input given.
|
||||
|
||||
Reference: https://hackerone.com/reports/170316
|
||||
https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b
|
||||
|
||||
Sat Sep 9 22:57:24 2017 SHIBATA Hiroshi <hsbt@ruby-lang.org>
|
||||
|
||||
* ext/json: bump to version 1.8.3.1. [Backport #13853]
|
||||
|
|
|
|||
|
|
@ -870,19 +870,18 @@ int_ossl_asn1_decode0_cons(unsigned char **pp, long max_len, long length,
|
|||
{
|
||||
VALUE value, asn1data, ary;
|
||||
int infinite;
|
||||
long off = *offset;
|
||||
long available_len, off = *offset;
|
||||
|
||||
infinite = (j == 0x21);
|
||||
ary = rb_ary_new();
|
||||
|
||||
while (length > 0 || infinite) {
|
||||
available_len = infinite ? max_len : length;
|
||||
while (available_len > 0) {
|
||||
long inner_read = 0;
|
||||
value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read);
|
||||
value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read);
|
||||
*num_read += inner_read;
|
||||
max_len -= inner_read;
|
||||
available_len -= inner_read;
|
||||
rb_ary_push(ary, value);
|
||||
if (length > 0)
|
||||
length -= inner_read;
|
||||
|
||||
if (infinite &&
|
||||
NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC &&
|
||||
|
|
@ -973,7 +972,7 @@ ossl_asn1_decode0(unsigned char **pp, long length, long *offset, int depth,
|
|||
if(j & V_ASN1_CONSTRUCTED) {
|
||||
*pp += hlen;
|
||||
off += hlen;
|
||||
asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read);
|
||||
asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read);
|
||||
inner_read += hlen;
|
||||
}
|
||||
else {
|
||||
|
|
|
|||
|
|
@ -596,6 +596,29 @@ rEzBQ0F9dUyqQ9gyRg8KHhDfv9HzT1d/rnUZMkoombwYBRIUChGCYV0GnJcan2Zm
|
|||
assert_equal(false, asn1.value[3].infinite_length)
|
||||
end
|
||||
|
||||
def test_decode_constructed_overread
|
||||
test = %w{ 31 06 31 02 30 02 05 00 }
|
||||
# ^ <- invalid
|
||||
raw = [test.join].pack("H*")
|
||||
ret = []
|
||||
assert_raise(OpenSSL::ASN1::ASN1Error) {
|
||||
OpenSSL::ASN1.traverse(raw) { |x| ret << x }
|
||||
}
|
||||
assert_equal 2, ret.size
|
||||
assert_equal 17, ret[0][6]
|
||||
assert_equal 17, ret[1][6]
|
||||
|
||||
test = %w{ 31 80 30 03 00 00 }
|
||||
# ^ <- invalid
|
||||
raw = [test.join].pack("H*")
|
||||
ret = []
|
||||
assert_raise(OpenSSL::ASN1::ASN1Error) {
|
||||
OpenSSL::ASN1.traverse(raw) { |x| ret << x }
|
||||
}
|
||||
assert_equal 1, ret.size
|
||||
assert_equal 17, ret[0][6]
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def assert_universal(tag, asn1)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
#define RUBY_VERSION "2.3.5"
|
||||
#define RUBY_RELEASE_DATE "2017-09-09"
|
||||
#define RUBY_PATCHLEVEL 368
|
||||
#define RUBY_PATCHLEVEL 369
|
||||
|
||||
#define RUBY_RELEASE_YEAR 2017
|
||||
#define RUBY_RELEASE_MONTH 9
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue