The branch, master has been updated
via 1d26012 asn1: Ensure asn1_tag_remaining() only ever returns -1 as
an error condition.
via 697088e asn1: Make asn1_peek_tag_needed_size() use the same
overflow protection as asn1_start_tag().
via f60f7a6 asn1: Protect against overlong tag lengths
from 171fdc2 ctdb-recovery: Fix newlines in log messages
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1d26012ce84d12cba236e5a88be25e6d489c9144
Author: Jeremy Allison <j...@samba.org>
Date: Fri Feb 5 13:21:29 2016 -0800
asn1: Ensure asn1_tag_remaining() only ever returns -1 as an error
condition.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Wed Feb 10 01:38:03 CET 2016 on sn-devel-144
commit 697088ef165d9ee42502d7a8ab51edc90010386e
Author: Jeremy Allison <j...@samba.org>
Date: Fri Feb 5 13:15:57 2016 -0800
asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as
asn1_start_tag().
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
commit f60f7a62e259ec518c94c08b23ef0dce9d41083b
Author: Volker Lendecke <v...@samba.org>
Date: Fri Feb 5 12:58:45 2016 -0800
asn1: Protect against overlong tag lengths
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/util/asn1.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 9aa9772..9d6d416 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data
*data, uint8_t tag,
}
taglen = b;
while (n > 1) {
+ size_t tmp_taglen;
+
if (!asn1_read_uint8(data, &b)) {
data->ofs = start_ofs;
data->has_error = false;
return false;
}
- taglen = (taglen << 8) | b;
+
+ tmp_taglen = (taglen << 8) | b;
+
+ if ((tmp_taglen >> 8) != taglen) {
+ /* overflow */
+ data->ofs = start_ofs;
+ data->has_error = false;
+ return false;
+ }
+ taglen = tmp_taglen;
+
n--;
}
} else {
@@ -641,9 +653,20 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
return false;
nesting->taglen = b;
while (n > 1) {
+ size_t taglen;
+
if (!asn1_read_uint8(data, &b))
return false;
- nesting->taglen = (nesting->taglen << 8) | b;
+
+ taglen = (nesting->taglen << 8) | b;
+
+ if ((taglen >> 8) != nesting->taglen) {
+ /* overflow */
+ data->has_error = true;
+ return false;
+ }
+ nesting->taglen = taglen;
+
n--;
}
} else {
@@ -698,6 +721,10 @@ int asn1_tag_remaining(struct asn1_data *data)
data->has_error = true;
return -1;
}
+ if (remaining < 0) {
+ data->has_error = true;
+ return -1;
+ }
return remaining;
}
--
Samba Shared Repository
