asn1: Protect against overlong tag lengths

author Volker Lendecke <vl@samba.org>

Fri, 5 Feb 2016 20:58:45 +0000 (12:58 -0800)

committer Jeremy Allison <jra@samba.org>

Tue, 9 Feb 2016 21:29:11 +0000 (22:29 +0100)
author Volker Lendecke <vl@samba.org>
Fri, 5 Feb 2016 20:58:45 +0000 (12:58 -0800)
committer Jeremy Allison <jra@samba.org>
Tue, 9 Feb 2016 21:29:11 +0000 (22:29 +0100)
diff --git a/lib/util/asn1.c b/lib/util/asn1.c

index 9aa9772e013cc0dcebcc6176b55b3986b2494d6b..dc7f679fa6194460458e819bf23ad97a83f3fa66 100644 (file)
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -641,9 +641,20 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
                         return false;
                 nesting->taglen = b;
                 while (n > 1) {
+                       size_t taglen;
+
                         if (!asn1_read_uint8(data, &b))
                                 return false;
-                       nesting->taglen = (nesting->taglen << 8) | b;
+
+                       taglen = (nesting->taglen << 8) | b;
+
+                       if ((taglen >> 8) != nesting->taglen) {
+                               /* overflow */
+                               data->has_error = true;
+                               return false;
+                       }
+                       nesting->taglen = taglen;
+
                         n--;
                 }
         } else {
author	Volker Lendecke <vl@samba.org>
	Fri, 5 Feb 2016 20:58:45 +0000 (12:58 -0800)
committer	Jeremy Allison <jra@samba.org>
	Tue, 9 Feb 2016 21:29:11 +0000 (22:29 +0100)