From 5bb71b55a21adae6858bc008834b8806abbb4405 Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn <[email protected]> Date: Fri, 13 Oct 2017 20:31:07 +0200 Subject: [PATCH] Prevent out of bound reads in asn1_decoder
In some cases the asn1_decoder supplies the callback functions with invalid parameters, which causes them to operate on data outside of the buffer. This patch fixes this by checking the length. Signed-off-by: Eric Sesterhenn <[email protected]> --- lib/asn1_decoder.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index 0bd8a611eb83..375a76fc9a56 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c @@ -296,6 +296,8 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, cons_hdrlen_stack[csp] = hdr; if (!(flags & FLAG_INDEFINITE_LENGTH)) { cons_datalen_stack[csp] = datalen; + if (dp + len > datalen) + goto data_overrun_error; datalen = dp + len; } else { cons_datalen_stack[csp] = 0; @@ -308,6 +310,10 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder, tdp = dp; } + /* prevent out of bound reads */ + if (dp + len > datalen) + goto data_overrun_error; + /* Decide how to handle the operation */ switch (op) { case ASN1_OP_MATCH_ANY_ACT: -- Eric Sesterhenn (Principal Security Consultant) X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier
signature.asc
Description: OpenPGP digital signature
