From 9ebba8f58de27aa03abea9d7695f329d4406fa7f Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 31 Aug 2004 18:55:18 +0000 Subject: [PATCH] fix MITKRB5-SA-2004-003 Fix for ASN.1 decoder denial-of-service. [MITKRB5-SA-2004-003] ticket: new target_version: 1.3.5 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16702 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/asn.1/ChangeLog | 2 ++ src/lib/krb5/asn.1/asn1buf.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index fd0bf2daf..e7ea80367 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,5 +1,7 @@ 2004-08-31 Tom Yu + * asn1buf.c: Fix denial-of-service bug. + * asn1buf.c: * krb5_decode.c: Fix double-free vulnerabilities. diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c index 566d41e7b..8baac2424 100644 --- a/src/lib/krb5/asn.1/asn1buf.c +++ b/src/lib/krb5/asn.1/asn1buf.c @@ -122,6 +122,8 @@ asn1_error_code asn1buf_skiptail(asn1buf *buf, const unsigned int length, const return ASN1_OVERRUN; } while (nestlevel > 0) { + if (buf->bound - buf->next + 1 <= 0) + return ASN1_OVERRUN; retval = asn1_get_tag_2(buf, &t); if (retval) return retval; if (!t.indef) { -- 2.26.2