Error out on negative shifts in BN_{r,l}shift()

Without these checks in both functions nw = n / BN_BITS2 will be negative
and this leads to out-of-bounds accesses via negative array indices and
memset with a negative size.

Pointed out by cheloha

ok jsing

diff --git a/lib/libcrypto/bn/bn_shift.c b/lib/libcrypto/bn/bn_shift.c
index 0e8211e..e89e157 100644 (file)
--- a/lib/libcrypto/bn/bn_shift.c
+++ b/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.13 2014/10/28 07:35:58 jsg Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.14 2022/06/22 09:03:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <openssl/err.h>
+
 #include "bn_lcl.h"
 
 int
@@ -138,6 +140,11 @@ BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
        BN_ULONG *t, *f;
        BN_ULONG l;
 
+       if (n < 0) {
+               BNerror(BN_R_INVALID_LENGTH);
+               return 0;
+       }
+
        bn_check_top(r);
        bn_check_top(a);
 
@@ -175,6 +182,11 @@ BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
        BN_ULONG *t, *f;
        BN_ULONG l, tmp;
 
+       if (n < 0) {
+               BNerror(BN_R_INVALID_LENGTH);
+               return 0;
+       }
+
        bn_check_top(r);
        bn_check_top(a);