Fix ASN1_TYPE_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. CVE-2015-0286 Reviewed-by: Richard Levitte <levitte@openssl.org>
openssl · Mar 9, 2015 · e677e8d13595f7b3287f8feef7676feb301b0e8a · e677e8d
1 parent d3cc5e6
commit e677e8d13595f7b3287f8feef7676feb301b0e8a
Unified Split

Showing with 3 additions and 0 deletions.

+3 −0 crypto/asn1/a_type.c
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
@@ -115,6 +115,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
    case V_ASN1_OBJECT:
        result = OBJ_cmp(a->value.object, b->value.object);
        break;
+    case V_ASN1_BOOLEAN:
+        result = a->value.boolean - b->value.boolean;
+        break;
    case V_ASN1_NULL:
        result = 0;             /* They do not have content. */
        break;