3 files changed, 7 insertions, 3 deletions

diff --git a/lib/x509/common.h b/lib/x509/common.h
index 6716939255..b0c1c5e29f 100644
--- a/lib/x509/common.h
+++ b/lib/x509/common.h
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2003-2012 Free Software Foundation, Inc.
+ * Copyright (C) 2017 Red Hat, Inc.
  *
  * Author: Nikos Mavrogiannopoulos
  *
@@ -29,6 +30,9 @@
 #include <fips.h>
 
 #define MAX_STRING_LEN 512
+/* Set a maximum iteration count over which we refuse to
+ * decode a file. That is to prevent DoS. */
+#define MAX_ITER_COUNT (10*1024*1024)
 
 #define GNUTLS_XML_SHOW_ALL 1
 
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
index c15752f995..45233acd8a 100644
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -662,7 +662,7 @@ read_pbkdf2_params(ASN1_TYPE pasn,
 		goto error;
 	}
 
-	if (params->iter_count >= INT_MAX || params->iter_count == 0) {
+	if (params->iter_count >= MAX_ITER_COUNT || params->iter_count == 0) {
 		result = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 		goto error;
 	}
@@ -737,7 +737,7 @@ static int read_pkcs12_kdf_params(ASN1_TYPE pasn, struct pbkdf2_params *params)
 	if (result < 0)
 		return gnutls_assert_val(result);
 
-	if (params->iter_count >= INT_MAX || params->iter_count == 0)
+	if (params->iter_count >= MAX_ITER_COUNT || params->iter_count == 0)
 		return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 
 	_gnutls_hard_log("iterationCount: %d\n", params->iter_count);
diff --git a/lib/x509/privkey_pkcs8_pbes1.c b/lib/x509/privkey_pkcs8_pbes1.c
index 86ba2609f0..1e4ba60aa1 100644
--- a/lib/x509/privkey_pkcs8_pbes1.c
+++ b/lib/x509/privkey_pkcs8_pbes1.c
@@ -74,7 +74,7 @@ int _gnutls_read_pbkdf1_params(const uint8_t * data, int data_size,
 		goto error;
 	}
 
-	if (kdf_params->iter_count >= INT_MAX || kdf_params->iter_count == 0) {
+	if (kdf_params->iter_count >= MAX_ITER_COUNT || kdf_params->iter_count == 0) {
 		ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
 		goto error;
 	}