diff options
author | Jeremy Allison <jra@samba.org> | 2016-02-05 13:15:57 -0800 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2016-02-09 22:29:12 +0100 |
commit | 697088ef165d9ee42502d7a8ab51edc90010386e (patch) | |
tree | ffbfdef6104d8479d912bae01f1f85ef3d003d2e /lib/util/asn1.c | |
parent | f60f7a62e259ec518c94c08b23ef0dce9d41083b (diff) | |
download | samba-697088ef165d9ee42502d7a8ab51edc90010386e.tar.gz |
asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Diffstat (limited to 'lib/util/asn1.c')
-rw-r--r-- | lib/util/asn1.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/util/asn1.c b/lib/util/asn1.c index dc7f679fa61..029265e2b86 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag, } taglen = b; while (n > 1) { + size_t tmp_taglen; + if (!asn1_read_uint8(data, &b)) { data->ofs = start_ofs; data->has_error = false; return false; } - taglen = (taglen << 8) | b; + + tmp_taglen = (taglen << 8) | b; + + if ((tmp_taglen >> 8) != taglen) { + /* overflow */ + data->ofs = start_ofs; + data->has_error = false; + return false; + } + taglen = tmp_taglen; + n--; } } else { |