forked from rpms/openssl
df4dd7dd7f
Resolves: CVE-2023-2650
31 lines
1.0 KiB
Diff
31 lines
1.0 KiB
Diff
diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
|
|
index 01cde00e98..c0e55197a0 100644
|
|
--- a/crypto/objects/obj_dat.c
|
|
+++ b/crypto/objects/obj_dat.c
|
|
@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
|
|
first = 1;
|
|
bl = NULL;
|
|
|
|
+ /*
|
|
+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
|
|
+ *
|
|
+ * > 3.5. OBJECT IDENTIFIER values
|
|
+ * >
|
|
+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
|
|
+ * > numbers. For the SMIv2, each number in the list is referred to as a
|
|
+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
|
|
+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
|
|
+ * > decimal).
|
|
+ *
|
|
+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
|
|
+ * i.e. 586 bytes long.
|
|
+ *
|
|
+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
|
|
+ */
|
|
+ if (len > 586)
|
|
+ goto err;
|
|
+
|
|
while (len > 0) {
|
|
l = 0;
|
|
use_bn = 0;
|