[PATCH] Prevent out of bound reads in asn1_decoder
From: Eric Sesterhenn
Date: Fri Oct 13 2017 - 14:35:15 EST
From 5bb71b55a21adae6858bc008834b8806abbb4405 Mon Sep 17 00:00:00 2001
From: Eric Sesterhenn <eric.sesterhenn@xxxxxxxxxxx>
Date: Fri, 13 Oct 2017 20:31:07 +0200
Subject: [PATCH] Prevent out of bound reads in asn1_decoder
In some cases the asn1_decoder supplies the callback
functions with invalid parameters, which causes them
to operate on data outside of the buffer. This patch
fixes this by checking the length.
Signed-off-by: Eric Sesterhenn <eric.sesterhenn@xxxxxxxxxxx>
---
lib/asn1_decoder.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
index 0bd8a611eb83..375a76fc9a56 100644
--- a/lib/asn1_decoder.c
+++ b/lib/asn1_decoder.c
@@ -296,6 +296,8 @@ int asn1_ber_decoder(const struct asn1_decoder *decoder,
cons_hdrlen_stack[csp] = hdr;
if (!(flags & FLAG_INDEFINITE_LENGTH)) {
cons_datalen_stack[csp] = datalen;
+ if (dp + len > datalen)
+ goto data_overrun_error;
datalen = dp + len;
} else {
cons_datalen_stack[csp] = 0;
@@ -308,6 +310,10 @@ int asn1_ber_decoder(const struct asn1_decoder
*decoder,
tdp = dp;
}
+ /* prevent out of bound reads */
+ if (dp + len > datalen)
+ goto data_overrun_error;
+
/* Decide how to handle the operation */
switch (op) {
case ASN1_OP_MATCH_ANY_ACT:
--
Eric Sesterhenn (Principal Security Consultant)
X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen
T: +49 241 9809418-0, Fax: -9
Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989
GeschÃftsfÃhrer: Markus Vervier
Attachment:
signature.asc
Description: OpenPGP digital signature