From 59d00fc439e5851f60925febda8d7f7816a44563 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 2 Oct 2010 10:03:55 +0200 Subject: lib/util/asn1: let asn1_peek_full_tag() return an error if we fail to parse tag hdr/len metze Autobuild-User: Stefan Metzmacher Autobuild-Date: Mon Oct 4 14:46:40 UTC 2010 on sn-devel-104 --- lib/util/asn1.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'lib/util/asn1.c') diff --git a/lib/util/asn1.c b/lib/util/asn1.c index 7e37fbc91bd..7635ce2d883 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -527,6 +527,18 @@ bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag, size_t *size data->has_error = false; return false; } + if (n > 4) { + /* + * We should not allow more than 4 bytes + * for the encoding of the tag length. + * + * Otherwise we'd overflow the taglen + * variable on 32 bit systems. + */ + data->ofs = start_ofs; + data->has_error = false; + return false; + } taglen = b; while (n > 1) { if (!asn1_read_uint8(data, &b)) { @@ -1020,7 +1032,7 @@ NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size) ok = asn1_peek_tag_needed_size(&asn1, tag, &size); if (!ok) { - return STATUS_MORE_ENTRIES; + return NT_STATUS_INVALID_BUFFER_SIZE; } if (size > blob.length) { -- cgit