fix MITKRB5-SA-2004-003
authorTom Yu <tlyu@mit.edu>
Tue, 31 Aug 2004 18:55:18 +0000 (18:55 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 31 Aug 2004 18:55:18 +0000 (18:55 +0000)
Fix for ASN.1 decoder denial-of-service. [MITKRB5-SA-2004-003]

ticket: new
target_version: 1.3.5
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16702 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/krb5/asn.1/ChangeLog
src/lib/krb5/asn.1/asn1buf.c

index fd0bf2daf577c757a5ff1bc23054a45c90b8e107..e7ea803677b0765c974e766c8fa1aa10c057c5e1 100644 (file)
@@ -1,5 +1,7 @@
 2004-08-31  Tom Yu  <tlyu@mit.edu>
 
+       * asn1buf.c: Fix denial-of-service bug.
+
        * asn1buf.c:
        * krb5_decode.c: Fix double-free vulnerabilities.
 
index 566d41e7b8e9bc49272f900e3564d1824ffe4563..8baac24240496cfa07f045d135e9ffe854d24954 100644 (file)
@@ -122,6 +122,8 @@ asn1_error_code asn1buf_skiptail(asn1buf *buf, const unsigned int length, const
       return ASN1_OVERRUN;
   }
   while (nestlevel > 0) {
+    if (buf->bound - buf->next + 1 <= 0)
+      return ASN1_OVERRUN;
     retval = asn1_get_tag_2(buf, &t);
     if (retval) return retval;
     if (!t.indef) {