The branch, master has been updated via 1d26012 asn1: Ensure asn1_tag_remaining() only ever returns -1 as an error condition. via 697088e asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag(). via f60f7a6 asn1: Protect against overlong tag lengths from 171fdc2 ctdb-recovery: Fix newlines in log messages
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1d26012ce84d12cba236e5a88be25e6d489c9144 Author: Jeremy Allison <j...@samba.org> Date: Fri Feb 5 13:21:29 2016 -0800 asn1: Ensure asn1_tag_remaining() only ever returns -1 as an error condition. Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Feb 10 01:38:03 CET 2016 on sn-devel-144 commit 697088ef165d9ee42502d7a8ab51edc90010386e Author: Jeremy Allison <j...@samba.org> Date: Fri Feb 5 13:15:57 2016 -0800 asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag(). Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit f60f7a62e259ec518c94c08b23ef0dce9d41083b Author: Volker Lendecke <v...@samba.org> Date: Fri Feb 5 12:58:45 2016 -0800 asn1: Protect against overlong tag lengths Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/util/asn1.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/asn1.c b/lib/util/asn1.c index 9aa9772..9d6d416 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag, } taglen = b; while (n > 1) { + size_t tmp_taglen; + if (!asn1_read_uint8(data, &b)) { data->ofs = start_ofs; data->has_error = false; return false; } - taglen = (taglen << 8) | b; + + tmp_taglen = (taglen << 8) | b; + + if ((tmp_taglen >> 8) != taglen) { + /* overflow */ + data->ofs = start_ofs; + data->has_error = false; + return false; + } + taglen = tmp_taglen; + n--; } } else { @@ -641,9 +653,20 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag) return false; nesting->taglen = b; while (n > 1) { + size_t taglen; + if (!asn1_read_uint8(data, &b)) return false; - nesting->taglen = (nesting->taglen << 8) | b; + + taglen = (nesting->taglen << 8) | b; + + if ((taglen >> 8) != nesting->taglen) { + /* overflow */ + data->has_error = true; + return false; + } + nesting->taglen = taglen; + n--; } } else { @@ -698,6 +721,10 @@ int asn1_tag_remaining(struct asn1_data *data) data->has_error = true; return -1; } + if (remaining < 0) { + data->has_error = true; + return -1; + } return remaining; } -- Samba Shared Repository