fixed DoS vulnerability in the parsing of ASN.1 time strings
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 10 Jun 2009 09:39:17 +0000 (11:39 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 10 Jun 2009 09:39:17 +0000 (11:39 +0200)
src/libstrongswan/asn1/asn1.c

index c8ebd79..c7da871 100644 (file)
@@ -326,12 +326,18 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
        }
        else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
        {
-               sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+               if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+               {
+                       return 0; /* error in positive timezone offset format */
+               }
                tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
        }
        else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
        {
-               sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+               if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+               {
+                       return 0; /* error in negative timezone offset format */
+               }
                tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
        }
        else
@@ -344,13 +350,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
                const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
                                                                                                         "%4d%2d%2d%2d%2d";
        
-               sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day, &tm_hour, &tm_min);
+               if (sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day,
+                                                                                &tm_hour, &tm_min) != 5)
+               {
+                       return 0; /* error in time st [yy]yymmddhhmm time format */
+               }
        }
        
        /* is there a seconds field? */
        if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
        {
-               sscanf(eot-2, "%2d", &tm_sec);
+               if (sscanf(eot-2, "%2d", &tm_sec) != 1)
+               {
+                       return 0; /* error in ss seconds field format */
+               }
        }
        else
        {