Overview

File gnutls-CVE-2017-5336.patch of Package gnutls.8596

From 5140422e0d7319a8e2fe07f02cbcafc4d6538732 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 4 Jan 2017 14:56:50 +0100
Subject: [PATCH] opencdk: cdk_pk_get_keyid: fix stack overflow

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/opencdk/pubkey.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Index: gnutls-3.2.15/lib/opencdk/pubkey.c
===================================================================
--- gnutls-3.2.15.orig/lib/opencdk/pubkey.c	2013-11-10 18:59:14.000000000 +0100
+++ gnutls-3.2.15/lib/opencdk/pubkey.c	2017-01-10 15:43:17.443611035 +0100
@@ -519,6 +519,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u3
 {
 	u32 lowbits = 0;
 	byte buf[24];
+	int rc;
 
 	if (pk && (!pk->keyid[0] || !pk->keyid[1])) {
 		if (pk->version < 4 && is_RSA(pk->pubkey_algo)) {
@@ -526,7 +527,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u3
 			size_t n;
 
 			n = MAX_MPI_BYTES;
-			_gnutls_mpi_print(pk->mpi[0], p, &n);
+			rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
+			if (rc < 0 || n < 8) {
+				keyid[0] = keyid[1] = (u32)-1;
+				return (u32)-1;
+			}
+
 			pk->keyid[0] =
 			    p[n - 8] << 24 | p[n - 7] << 16 | p[n -
 								6] << 8 |
openSUSE Build Service is sponsored by
Places