ASN1_get_object should not accept large universal tags. The high bits of the type get used for the V_ASN1_NEG bit, so when used with ASN1_ANY/ASN1_TYPE, universal tags become ambiguous. This allows one to create a negative zero, which should be impossible. Impose an upper bound on universal tags accepted by crypto/asn1 and add a test. BUG=590615 Change-Id: I363e01ebfde621c8865101f5bcbd5f323fb59e79 Reviewed-on: https://boringssl-review.googlesource.com/7238 Reviewed-by: Adam Langley <agl@google.com>

commit: fb2c6f8c8565e1e2d85c24408050c96521acbcdc [log] [tgz]
author: David Benjamin <davidben@google.com> Mon Feb 29 15:42:59 2016 -0500
committer: Adam Langley <agl@google.com> Mon Feb 29 21:17:19 2016 +0000
tree: affbfa57e4f6bc8524ab01e1608f0d00a6e4937f
parent: 7e8ed440135c166d0a29e28548b485b66d1645b8 [diff] [blame]
diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h
index ae732e2..8296ca4 100644
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h

@@ -85,6 +85,9 @@
 #define V_ASN1_ANY			-4	/* used in ASN1 template code */
 
 #define V_ASN1_NEG			0x100	/* negative flag */
+/* No supported universal tags may exceed this value, to avoid ambiguity with
+ * V_ASN1_NEG. */
+#define V_ASN1_MAX_UNIVERSAL		0xff
 
 #define V_ASN1_UNDEF			-1
 #define V_ASN1_EOC			0
commit	fb2c6f8c8565e1e2d85c24408050c96521acbcdc	[log] [tgz]
author	David Benjamin <davidben@google.com>	Mon Feb 29 15:42:59 2016 -0500
committer	Adam Langley <agl@google.com>	Mon Feb 29 21:17:19 2016 +0000
tree	affbfa57e4f6bc8524ab01e1608f0d00a6e4937f
parent	7e8ed440135c166d0a29e28548b485b66d1645b8 [diff] [blame]