[PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)

author Gergely Nagy <ngg@tresorit.com>

Wed, 14 Dec 2016 12:19:01 +0000 (13:19 +0100)

committer Laszlo Boszormenyi (GCS) <gcs@debian.org>

Tue, 27 Jun 2017 19:04:20 +0000 (20:04 +0100)
author Gergely Nagy <ngg@tresorit.com>
Wed, 14 Dec 2016 12:19:01 +0000 (13:19 +0100)
committer Laszlo Boszormenyi (GCS) <gcs@debian.org>
Tue, 27 Jun 2017 19:04:20 +0000 (20:04 +0100)
diff --git a/asn.cpp b/asn.cpp

index 13cd50c3377b8517433c4e2378e308a5de2af1dd..0017f28fa792a864226892da40110fe798894acd 100644 (file)
--- a/asn.cpp
+++ b/asn.cpp
@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
         size_t bc;\r
         if (!BERLengthDecode(bt, bc))\r
                 BERDecodeError();\r
+       if (bc > bt.MaxRetrievable())\r
+               BERDecodeError();\r
  \r
         str.New(bc);\r
         if (bc != bt.Get(str, bc))\r
@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
         size_t bc;\r
         if (!BERLengthDecode(bt, bc))\r
                 BERDecodeError();\r
+       if (bc > bt.MaxRetrievable())\r
+               BERDecodeError();\r
  \r
         bt.TransferTo(str, bc);\r
         return bc;\r
@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
         size_t bc;\r
         if (!BERLengthDecode(bt, bc))\r
                 BERDecodeError();\r
+       if (bc > bt.MaxRetrievable())\r
+               BERDecodeError();\r
  \r
         SecByteBlock temp(bc);\r
         if (bc != bt.Get(temp, bc))\r
@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
         size_t bc;\r
         if (!BERLengthDecode(bt, bc))\r
                 BERDecodeError();\r
+       if (bc == 0)\r
+               BERDecodeError();\r
+       if (bc > bt.MaxRetrievable())\r
+               BERDecodeError();\r
  \r
         byte unused;\r
         if (!bt.Get(unused))\r
diff --git a/asn.h b/asn.h

index 8c8ac321f9c545519c0d08d19c4fd9b3ca67e916..adb677d3da9c30575862b36084f1e54d1da0cf65 100644 (file)
--- a/asn.h
+++ b/asn.h
@@ -486,6 +486,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
         bool definite = BERLengthDecode(in, bc);\r
         if (!definite)\r
                 BERDecodeError();\r
+       if (bc > in.MaxRetrievable())\r
+               BERDecodeError();\r
  \r
         SecByteBlock buf(bc);\r
  \r
author	Gergely Nagy <ngg@tresorit.com>
	Wed, 14 Dec 2016 12:19:01 +0000 (13:19 +0100)
committer	Laszlo Boszormenyi (GCS) <gcs@debian.org>
	Tue, 27 Jun 2017 19:04:20 +0000 (20:04 +0100)