fixed DoS vulnerability in the parsing of distinguished names
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
src/libstrongswan/asn1/asn1.c
src/libstrongswan/asn1/asn1_parser.c

index d57444d..c8ebd79 100644 (file)
@@ -296,6 +296,11 @@ size_t asn1_length(chunk_t *blob)
                len = 256*len + *blob->ptr++;
                blob->len--;
        }
+       if (len > blob->len)
+       {
+               DBG2("length is larger than remaining blob size");
+               return ASN1_INVALID_LENGTH;
+       }
        return len;
 }
 
index 4a0fafd..bc4c0b5 100644 (file)
@@ -158,7 +158,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
        
        blob1->len = asn1_length(blob);
        
-       if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+       if (blob1->len == ASN1_INVALID_LENGTH)
        {
                DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
                                        level, obj.name);