commit 7a8e62dbd9df2ca2ee522fb3072edbfef6aafd11
author David Benjamin <davidben@chromium.org> Thu Mar 19 15:03:10 2015 -0400
committer Adam Langley <agl@google.com> Thu Mar 19 19:48:41 2015 +0000
tree 08be7b70a247837b27e0ed981bbb6d40033a5c69
parent 61c0d4e8b210104f6e9575421411641d9fe87086

Fix ASN1_TYPE_cmp

Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

(Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.)

Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45
Reviewed-on: https://boringssl-review.googlesource.com/4048
Reviewed-by: Adam Langley <agl@google.com>

crypto/asn1/a_type.c

diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 75a17d5..fd3d5b1 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -125,6 +125,9 @@
 	case V_ASN1_NULL:
 		result = 0;	/* They do not have content. */
 		break;
+	case V_ASN1_BOOLEAN:
+		result = a->value.boolean - b->value.boolean;
+		break;
 	case V_ASN1_INTEGER:
 	case V_ASN1_NEG_INTEGER:
 	case V_ASN1_ENUMERATED: