* asn1buf.c (asn1buf_remove_octetstring, asn1buf_remove_charstring): Fix bounds

author Ken Raeburn <raeburn@mit.edu>

Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)

committer Ken Raeburn <raeburn@mit.edu>

Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)
author Ken Raeburn <raeburn@mit.edu>
Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)
committer Ken Raeburn <raeburn@mit.edu>
Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog

index 9a70a2dd3ca4a8c0a978f7623c6a1d0cb427ecf4..e1b6743d06a8292e41b0a722bee54e500141a351 100644 (file)
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,9 @@
+2002-04-09  Ken Raeburn  <raeburn@mit.edu>
+
+       * asn1buf.c (asn1buf_remove_octetstring,
+       asn1buf_remove_charstring): Fix bounds test for correctness in
+       overflow cases.
+
  2001-10-09  Ken Raeburn  <raeburn@mit.edu>
  
         * asn1_decode.c, asn1_decode.h, asn1_encode.h, asn1_get.h,
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c

index dcb0f6093b6c2d27fc0b8986ca432770099a008f..7b56c9e8e4e214d0dec30f4ab47d41f09a92be5c 100644 (file)
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -43,6 +43,7 @@
     asn1buf structure or be NULL.
  
     base points to a valid, allocated octet array or is NULL
+   bound, if non-NULL, points to the last valid octet
     next >= base
     next <= bound+2  (i.e. next should be able to step just past the bound,
                       but no further.  (The bound should move out in response
@@ -231,7 +232,7 @@ asn1_error_code asn1buf_remove_octetstring(buf, len, s)
  {
    int i;
  
-  if(buf->next + len - 1 > buf->bound) return ASN1_OVERRUN;
+  if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
    if (len == 0) {
        *s = 0;
        return 0;
@@ -252,7 +253,7 @@ asn1_error_code asn1buf_remove_charstring(buf, len, s)
  {
    int i;
  
-  if (buf->next + len - 1 > buf->bound) return ASN1_OVERRUN;
+  if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
    if (len == 0) {
        *s = 0;
        return 0;
@@ -407,7 +408,7 @@ asn1_error_code asn1buf_expand(buf, inc)
  #define STANDARD_INCREMENT 200
    int next_offset = buf->next - buf->base;
    int bound_offset;
-  if(buf->base == NULL) bound_offset = -1;
+  if (buf->base == NULL) bound_offset = -1;
    else bound_offset = buf->bound - buf->base;
  
    if (inc < STANDARD_INCREMENT)
@@ -418,7 +419,7 @@ asn1_error_code asn1buf_expand(buf, inc)
    else
      buf->base = realloc(buf->base,
                         (asn1buf_size(buf)+inc) * sizeof(asn1_octet));
-  if(buf->base == NULL) return ENOMEM;
+  if (buf->base == NULL) return ENOMEM;
    buf->bound = (buf->base) + bound_offset + inc;
    buf->next = (buf->base) + next_offset;
    return 0;
author	Ken Raeburn <raeburn@mit.edu>
	Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)
committer	Ken Raeburn <raeburn@mit.edu>
	Wed, 10 Apr 2002 00:40:25 +0000 (00:40 +0000)
src/lib/krb5/asn.1/ChangeLog		patch \| blob \| history
src/lib/krb5/asn.1/asn1buf.c		patch \| blob \| history