It seems that the BER decoder logic in _asn1_decode_simple_ber() uses recursion to handle the indefinite string encoding. That is when the length is not provided on the BER TLV encoding, and the decoder is expected to go through a set of TLV pairs terminated by 0x00, 0x00. That also means that the TLV pairs encapsulated within the indefinite encoding, could employ indefinite encoding as well, requiring a recursive handling of these cases.
However, that also means that a specially crafted structure, could cause stack exhaustion on the BER decoder, leading the application to crash. I have a patch set addressing that by introducing a limit of 3-levels of recursion, although that is a bit arbitrary. I have seen on the wild encodings which involve 1-level of recursion, however, I've never seen 2 or 3 levels for BER encodings. Are there any concerns related to other implementations or structures produced by other encoders? regards, Nikos
