From f430d62b4fe075df6845f568cfe89f342a413eae Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 31 Aug 2022 09:38:00 +0000 Subject: [PATCH] Avoid some buffer overflows in ecdsatest The ASN.1 encoding of the modified ECDSA signature can grow in size due to padding of the ASN.1 integers. Instead of reusing the same signature buffer freshly allocate it. Avoids some buffer overflows caught by ASAN. --- regress/lib/libcrypto/ecdsa/ecdsatest.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/regress/lib/libcrypto/ecdsa/ecdsatest.c b/regress/lib/libcrypto/ecdsa/ecdsatest.c index 45ffd91ab40..6cbe345d08e 100644 --- a/regress/lib/libcrypto/ecdsa/ecdsatest.c +++ b/regress/lib/libcrypto/ecdsa/ecdsatest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdsatest.c,v 1.11 2022/08/31 09:36:46 tb Exp $ */ +/* $OpenBSD: ecdsatest.c,v 1.12 2022/08/31 09:38:00 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -251,7 +251,8 @@ test_builtin(BIO *out) BIO_printf(out, "."); (void)BIO_flush(out); /* create signature */ - sig_len = ECDSA_size(eckey); + if ((sig_len = ECDSA_size(eckey)) == 0) + goto builtin_err; if ((signature = malloc(sig_len)) == NULL) goto builtin_err; if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) { @@ -332,6 +333,12 @@ test_builtin(BIO *out) r = NULL; s = NULL; + if ((sig_len = i2d_ECDSA_SIG(ecdsa_sig, NULL)) <= 0) + goto builtin_err; + free(signature); + if ((signature = calloc(1, sig_len)) == NULL) + goto builtin_err; + sig_ptr2 = signature; sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); if (ECDSA_verify(0, digest, 20, signature, sig_len, @@ -349,6 +356,12 @@ test_builtin(BIO *out) r = NULL; s = NULL; + if ((sig_len = i2d_ECDSA_SIG(ecdsa_sig, NULL)) <= 0) + goto builtin_err; + free(signature); + if ((signature = calloc(1, sig_len)) == NULL) + goto builtin_err; + sig_ptr2 = signature; sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2); if (ECDSA_verify(0, digest, 20, signature, sig_len, -- 2.20.1