From 3eae9766b7e3aee20f6e6828e1468d244635f451 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 10 Feb 2019 01:34:24 +0200
Subject: [PATCH] TLS: Fix ASN.1 parsing with no room for the header

Explicitly check the remaining buffer length before trying to read the
ASN.1 header values. Attempt to parse an ASN.1 header when there was not
enough buffer room for it would have started by reading one or two
octets beyond the end of the buffer before reporting invalid data at the
following explicit check for buffer room.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/tls/asn1.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/tls/asn1.c b/src/tls/asn1.c
index cec109292..822f87c18 100644
--- a/src/tls/asn1.c
+++ b/src/tls/asn1.c
@@ -31,6 +31,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
 	pos = buf;
 	end = buf + len;
 
+	if (pos >= end) {
+		wpa_printf(MSG_DEBUG, "ASN.1: No room for Identifier");
+		return -1;
+	}
 	hdr->identifier = *pos++;
 	hdr->class = hdr->identifier >> 6;
 	hdr->constructed = !!(hdr->identifier & (1 << 5));
@@ -51,6 +55,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
 	} else
 		hdr->tag = hdr->identifier & 0x1f;
 
+	if (pos >= end) {
+		wpa_printf(MSG_DEBUG, "ASN.1: No room for Length");
+		return -1;
+	}
 	tmp = *pos++;
 	if (tmp & 0x80) {
 		if (tmp == 0xff) {