From: Ken Raeburn <raeburn@mit.edu>
Date: Wed, 10 Apr 2002 00:40:25 +0000 (+0000)
Subject: * asn1buf.c (asn1buf_remove_octetstring, asn1buf_remove_charstring): Fix bounds
X-Git-Tag: krb5-1.3-alpha1~786
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=4092aa661b40fb565d39594972c000572296238b;p=krb5.git

* asn1buf.c (asn1buf_remove_octetstring, asn1buf_remove_charstring): Fix bounds
test for correctness in overflow cases.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14370 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index 9a70a2dd3..e1b6743d0 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,9 @@
+2002-04-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* asn1buf.c (asn1buf_remove_octetstring,
+	asn1buf_remove_charstring): Fix bounds test for correctness in
+	overflow cases.
+
 2001-10-09  Ken Raeburn  <raeburn@mit.edu>
 
 	* asn1_decode.c, asn1_decode.h, asn1_encode.h, asn1_get.h,
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index dcb0f6093..7b56c9e8e 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -43,6 +43,7 @@
    asn1buf structure or be NULL.
 
    base points to a valid, allocated octet array or is NULL
+   bound, if non-NULL, points to the last valid octet
    next >= base
    next <= bound+2  (i.e. next should be able to step just past the bound,
                      but no further.  (The bound should move out in response
@@ -231,7 +232,7 @@ asn1_error_code asn1buf_remove_octetstring(buf, len, s)
 {
   int i;
 
-  if(buf->next + len - 1 > buf->bound) return ASN1_OVERRUN;
+  if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
       return 0;
@@ -252,7 +253,7 @@ asn1_error_code asn1buf_remove_charstring(buf, len, s)
 {
   int i;
 
-  if (buf->next + len - 1 > buf->bound) return ASN1_OVERRUN;
+  if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
   if (len == 0) {
       *s = 0;
       return 0;
@@ -407,7 +408,7 @@ asn1_error_code asn1buf_expand(buf, inc)
 #define STANDARD_INCREMENT 200
   int next_offset = buf->next - buf->base;
   int bound_offset;
-  if(buf->base == NULL) bound_offset = -1;
+  if (buf->base == NULL) bound_offset = -1;
   else bound_offset = buf->bound - buf->base;
 
   if (inc < STANDARD_INCREMENT)
@@ -418,7 +419,7 @@ asn1_error_code asn1buf_expand(buf, inc)
   else
     buf->base = realloc(buf->base,
 			(asn1buf_size(buf)+inc) * sizeof(asn1_octet));
-  if(buf->base == NULL) return ENOMEM;
+  if (buf->base == NULL) return ENOMEM;
   buf->bound = (buf->base) + bound_offset + inc;
   buf->next = (buf->base) + next_offset;
   return 0;