jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

TLS: Fix ASN.1 parsing with no room for the header

Browse source 
Explicitly check the remaining buffer length before trying to read the
ASN.1 header values. Attempt to parse an ASN.1 header when there was not
enough buffer room for it would have started by reading one or two
octets beyond the end of the buffer before reporting invalid data at the
following explicit check for buffer room.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-02-10 01:34:24 +02:00
parent fbc2123a14
commit 3eae9766b7
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/tls/asn1.c
View file

@ -31,6 +31,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
pos = buf;
end = buf + len;
if (pos >= end) {
wpa_printf(MSG_DEBUG, "ASN.1: No room for Identifier");
return -1;
}
hdr->identifier = *pos++;
hdr->class = hdr->identifier >> 6;
hdr->constructed = !!(hdr->identifier & (1 << 5));
@ -51,6 +55,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
} else
hdr->tag = hdr->identifier & 0x1f;
if (pos >= end) {
wpa_printf(MSG_DEBUG, "ASN.1: No room for Length");
return -1;
}
tmp = *pos++;
if (tmp & 0x80) {
if (tmp == 0xff) {