From 2d5b7c9a50d1514cf6e5aa3f1cc4f4b5c3c6ff22 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 23 Jan 2020 13:59:18 -0800
Subject: lib: asn1.c: Prevent ASN1_ENUMERATED from wrapping.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14238

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <dbagnall@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 29 01:02:04 UTC 2020 on sn-devel-184
---
 lib/util/asn1.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'lib/util')

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 51da5424956..6ae54d4cf20 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -1024,9 +1024,10 @@ bool asn1_read_BitString(struct asn1_data *data, TALLOC_CTX *mem_ctx, DATA_BLOB
 	return true;
 }
 
-/* read an integer */
+/* read a non-negative enumerated value */
 bool asn1_read_enumerated(struct asn1_data *data, int *v)
 {
+	unsigned int val_will_wrap = (0xFF << ((sizeof(int)*8)-8));
 	*v = 0;
 
 	if (!asn1_start_tag(data, ASN1_ENUMERATED)) return false;
@@ -1035,7 +1036,22 @@ bool asn1_read_enumerated(struct asn1_data *data, int *v)
 		if (!asn1_read_uint8(data, &b)) {
 			return false;
 		}
+		if (*v & val_will_wrap) {
+			/*
+			 * There is something already in
+			 * the top byte of the int. If we
+			 * shift left by 8 it's going to
+			 * wrap. Prevent this.
+			 */
+			data->has_error = true;
+			return false;
+		}
 		*v = (*v << 8) + b;
+		if (*v < 0) {
+			/* ASN1_ENUMERATED can't be -ve. */
+			data->has_error = true;
+			return false;
+		}
 	}
 	return asn1_end_tag(data);
 }
-- 
cgit v1.2.1