Fix ERR_GET_REASON checks. Reason codes across libraries may collide. One must never check ERR_GET_REASON without also checking ERR_GET_LIB. Change-Id: I0b58ce27a5571ab173d231c1a673bce1cf0427aa Reviewed-on: https://boringssl-review.googlesource.com/32110 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <alangley@gmail.com>
diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index 50779d2..ee71ee9 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c
@@ -197,13 +197,12 @@ c.inf = ASN1_get_object(&(c.p), &(c.slen), &(c.tag), &(c.xclass), len - off); if (c.inf & 0x80) { - uint32_t e; - - e = ERR_GET_REASON(ERR_peek_error()); - if (e != ASN1_R_TOO_LONG) + uint32_t error = ERR_peek_error(); + if (ERR_GET_LIB(error) != ERR_LIB_ASN1 || + ERR_GET_REASON(error) != ASN1_R_TOO_LONG) { goto err; - else - ERR_clear_error(); /* clear error */ + } + ERR_clear_error(); } i = c.p - p; /* header length */ off += i; /* end of data */
diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index ba29b83..7ed8aee 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c
@@ -94,7 +94,7 @@ void *pp; unsigned char *data = NULL; const unsigned char *p; - long len, error = 0; + long len; int ok = 0; STACK_OF(X509_INFO) *ret = NULL; unsigned int i, raw, ptype; @@ -115,8 +115,9 @@ ptype = 0; i = PEM_read_bio(bp, &name, &header, &data, &len); if (i == 0) { - error = ERR_GET_REASON(ERR_peek_last_error()); - if (error == PEM_R_NO_START_LINE) { + uint32_t error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_PEM && + ERR_GET_REASON(error) == PEM_R_NO_START_LINE) { ERR_clear_error(); break; }
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 759c5d7..c682429 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c
@@ -217,8 +217,11 @@ for (;;) { if (!PEM_read_bio(bp, &nm, &header, &data, &len)) { - if (ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) + uint32_t error = ERR_peek_error(); + if (ERR_GET_LIB(error) == ERR_LIB_PEM && + ERR_GET_REASON(error) == PEM_R_NO_START_LINE) { ERR_add_error_data(2, "Expecting: ", name); + } return 0; } if (check_pem(nm, name))
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 555cb85..dfff425 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c
@@ -138,14 +138,15 @@ for (;;) { x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_last_error()) == - PEM_R_NO_START_LINE) && (count > 0)) { + uint32_t error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_PEM && + ERR_GET_REASON(error) == PEM_R_NO_START_LINE && + count > 0) { ERR_clear_error(); break; - } else { - OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB); - goto err; } + OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB); + goto err; } i = X509_STORE_add_cert(ctx->store_ctx, x); if (!i) @@ -197,14 +198,15 @@ for (;;) { x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_last_error()) == - PEM_R_NO_START_LINE) && (count > 0)) { + uint32_t error = ERR_peek_last_error(); + if (ERR_GET_LIB(error) == ERR_LIB_PEM && + ERR_GET_REASON(error) == PEM_R_NO_START_LINE && + count > 0) { ERR_clear_error(); break; - } else { - OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB); - goto err; } + OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB); + goto err; } i = X509_STORE_add_crl(ctx->store_ctx, x); if (!i)