asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start...

author Jeremy Allison <jra@samba.org>

Fri, 5 Feb 2016 21:15:57 +0000 (13:15 -0800)

committer Jeremy Allison <jra@samba.org>

Tue, 9 Feb 2016 21:29:12 +0000 (22:29 +0100)
author Jeremy Allison <jra@samba.org>
Fri, 5 Feb 2016 21:15:57 +0000 (13:15 -0800)
committer Jeremy Allison <jra@samba.org>
Tue, 9 Feb 2016 21:29:12 +0000 (22:29 +0100)
diff --git a/lib/util/asn1.c b/lib/util/asn1.c

index dc7f679fa6194460458e819bf23ad97a83f3fa66..029265e2b86acc5a027fe96d8347cee2008f0d7f 100644 (file)
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag,
                 }
                 taglen = b;
                 while (n > 1) {
+                       size_t tmp_taglen;
+
                         if (!asn1_read_uint8(data, &b)) {
                                 data->ofs = start_ofs;
                                 data->has_error = false;
                                 return false;
                         }
-                       taglen = (taglen << 8) | b;
+
+                       tmp_taglen = (taglen << 8) | b;
+
+                       if ((tmp_taglen >> 8) != taglen) {
+                               /* overflow */
+                               data->ofs = start_ofs;
+                               data->has_error = false;
+                               return false;
+                       }
+                       taglen = tmp_taglen;
+
                         n--;
                 }
         } else {
author	Jeremy Allison <jra@samba.org>
	Fri, 5 Feb 2016 21:15:57 +0000 (13:15 -0800)
committer	Jeremy Allison <jra@samba.org>
	Tue, 9 Feb 2016 21:29:12 +0000 (22:29 +0100)