CVE-2020-10704: lib util asn1: Check parse tree depth

Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 13 insertions, 2 deletions

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index ec6e674ce20..ee3cff9cb65 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -647,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
 	uint8_t b;
 	struct nesting *nesting;
 
+	/*
+	 * Check the depth of the parse tree and prevent it from growing
+	 * too large.
+	 */
+	data->depth++;
+	if (data->depth > data->max_depth) {
+		data->has_error = true;
+		return false;
+	}
+
 	if (!asn1_read_uint8(data, &b))
 		return false;
 
@@ -703,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data)
 {
 	struct nesting *nesting;
 
+	if (data->depth > 0) {
+		data->depth--;
+	}
 	/* make sure we read it all */
 	if (asn1_tag_remaining(data) != 0) {
 		data->has_error = true;
diff --git a/selftest/knownfail.d/ldap_message b/selftest/knownfail.d/ldap_message
deleted file mode 100644
index 242eff45e59..00000000000
--- a/selftest/knownfail.d/ldap_message
+++ /dev/null
@@ -1,2 +0,0 @@
-^libcli.ldap.ldap_message.test_recursion_depth_greater_than_max\(none\)
-^libcli.ldap.ldap_message.test_recursion_depth_large\(none\)