diff options
author | Gary Lockyer <gary@catalyst.net.nz> | 2020-04-08 15:30:52 +1200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-04-22 12:50:42 +0200 |
commit | 16da9c6e3d87d11e358441804dc7ff842eb5a9e7 (patch) | |
tree | e9ab8d42d59c7d597a3fc8854a37d796b676ac6c | |
parent | 74986c179ea66d1cefda3ff6bb6338b618da451f (diff) | |
download | samba-16da9c6e3d87d11e358441804dc7ff842eb5a9e7.tar.gz |
CVE-2020-10704: lib util asn1: Check parse tree depth
Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | lib/util/asn1.c | 13 | ||||
-rw-r--r-- | selftest/knownfail.d/ldap_message | 2 |
2 files changed, 13 insertions, 2 deletions
diff --git a/lib/util/asn1.c b/lib/util/asn1.c index ec6e674ce20..ee3cff9cb65 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -647,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag) uint8_t b; struct nesting *nesting; + /* + * Check the depth of the parse tree and prevent it from growing + * too large. + */ + data->depth++; + if (data->depth > data->max_depth) { + data->has_error = true; + return false; + } + if (!asn1_read_uint8(data, &b)) return false; @@ -703,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data) { struct nesting *nesting; + if (data->depth > 0) { + data->depth--; + } /* make sure we read it all */ if (asn1_tag_remaining(data) != 0) { data->has_error = true; diff --git a/selftest/knownfail.d/ldap_message b/selftest/knownfail.d/ldap_message deleted file mode 100644 index 242eff45e59..00000000000 --- a/selftest/knownfail.d/ldap_message +++ /dev/null @@ -1,2 +0,0 @@ -^libcli.ldap.ldap_message.test_recursion_depth_greater_than_max\(none\) -^libcli.ldap.ldap_message.test_recursion_depth_large\(none\) |