fixed DoS vulnerability in the parsing of distinguished names

author Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
author Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c

index d57444d..c8ebd79 100644 (file)
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -296,6 +296,11 @@ size_t asn1_length(chunk_t *blob)
                 len = 256*len + *blob->ptr++;
                 blob->len--;
         }
+       if (len > blob->len)
+       {
+               DBG2("length is larger than remaining blob size");
+               return ASN1_INVALID_LENGTH;
+       }
         return len;
  }
  
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c

index 4a0fafd..bc4c0b5 100644 (file)
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -158,7 +158,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
         
         blob1->len = asn1_length(blob);
         
-       if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+       if (blob1->len == ASN1_INVALID_LENGTH)
         {
                 DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
                                         level, obj.name);
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Tue, 9 Jun 2009 20:03:33 +0000 (22:03 +0200)
src/libstrongswan/asn1/asn1.c		patch \| blob \| history
src/libstrongswan/asn1/asn1_parser.c		patch \| blob \| history