asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag().

Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
author: Jeremy Allison <jra@samba.org> 2016-02-05 13:15:57 -0800
committer: Jeremy Allison <jra@samba.org> 2016-02-09 22:29:12 +0100
commit: 697088ef165d9ee42502d7a8ab51edc90010386e (patch)
tree: ffbfdef6104d8479d912bae01f1f85ef3d003d2e /lib/util/asn1.c
parent: f60f7a62e259ec518c94c08b23ef0dce9d41083b (diff)
download: samba-697088ef165d9ee42502d7a8ab51edc90010386e.tar.gz
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index dc7f679fa61..029265e2b86 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag,
 		}
 		taglen = b;
 		while (n > 1) {
+			size_t tmp_taglen;
+
 			if (!asn1_read_uint8(data, &b)) {
 				data->ofs = start_ofs;
 				data->has_error = false;
 				return false;
 			}
-			taglen = (taglen << 8) | b;
+
+			tmp_taglen = (taglen << 8) | b;
+
+			if ((tmp_taglen >> 8) != taglen) {
+				/* overflow */
+				data->ofs = start_ofs;
+				data->has_error = false;
+				return false;
+			}
+			taglen = tmp_taglen;
+
 			n--;
 		}
 	} else {
author	Jeremy Allison <jra@samba.org>	2016-02-05 13:15:57 -0800
committer	Jeremy Allison <jra@samba.org>	2016-02-09 22:29:12 +0100
commit	697088ef165d9ee42502d7a8ab51edc90010386e (patch)
tree	ffbfdef6104d8479d912bae01f1f85ef3d003d2e /lib/util/asn1.c
parent	f60f7a62e259ec518c94c08b23ef0dce9d41083b (diff)
download	samba-697088ef165d9ee42502d7a8ab51edc90010386e.tar.gz