From 04440a6e90e94285441f414c77768d3726fdd0a5 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Sun, 11 Jul 1999 09:19:41 +0000 Subject: [PATCH] * asn1_decode.c (asn1_decode_integer): Fix to deal with overflows and negative integers. (asn1_decode_unsigned_integer): Fix to deal with overflows and to return errors on encountering negative integers. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11558 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/asn.1/ChangeLog | 7 +++++++ src/lib/krb5/asn.1/asn1_decode.c | 31 +++++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index cc9f48985..50c7808aa 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,10 @@ +Sat Jul 10 10:21:40 1999 Tom Yu + + * asn1_decode.c (asn1_decode_integer): Fix to deal with overflows + and negative integers. + (asn1_decode_unsigned_integer): Fix to deal with overflows and to + return errors on encountering negative integers. + 1999-07-06 Ken Raeburn * KRB5-asn.py (PA-SAM-RESPONSE): Fix syntax error -- comma diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c index cb48c2e5b..189f7c082 100644 --- a/src/lib/krb5/asn.1/asn1_decode.c +++ b/src/lib/krb5/asn.1/asn1_decode.c @@ -58,14 +58,22 @@ asn1_error_code asn1_decode_integer(buf, val) { setup(); asn1_octet o; - unsigned long n; + long n; + int i; tag(ASN1_INTEGER); - for(n=0; length > 0; length--){ - retval = asn1buf_remove_octet(buf,&o); - if(retval) return retval; - n = (n<<8) + (unsigned int)o; + for (i = 0; i < length; i++) { + retval = asn1buf_remove_octet(buf, &o); + if (retval) return retval; + if (!i) { + n = (0x80 & o) ? -1 : 0; /* grab sign bit */ + if (n < 0 && length > sizeof (long)) + return ASN1_OVERFLOW; + else if (length > sizeof (long) + 1) /* allow extra octet for positive */ + return ASN1_OVERFLOW; + } + n = (n << 8) | o; } *val = n; cleanup(); @@ -78,13 +86,20 @@ asn1_error_code asn1_decode_unsigned_integer(buf, val) setup(); asn1_octet o; unsigned long n; + int i; tag(ASN1_INTEGER); - for(n=0; length > 0; length--){ - retval = asn1buf_remove_octet(buf,&o); + for (i = 0, n = 0; i < length; i++) { + retval = asn1buf_remove_octet(buf, &o); if(retval) return retval; - n = (n<<8) + (unsigned int)o; + if (!i) { + if (0x80 & o) + return ASN1_OVERFLOW; + else if (length > sizeof (long) + 1) + return ASN1_OVERFLOW; + } + n = (n << 8) | o; } *val = n; cleanup(); -- 2.26.2