asn1: Handle more corner cases of OBJECT ID parsing
This commit is contained in:
parent
c449aa4430
commit
4faf517af4
|
@ -836,25 +836,33 @@ sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
|
||||||
*octet++ = *p - (a * 40);
|
*octet++ = *p - (a * 40);
|
||||||
inlen--;
|
inlen--;
|
||||||
} else {
|
} else {
|
||||||
a = (*p & 0x7F);
|
/* Use unsigned type here so we can process the whole INT range */
|
||||||
|
unsigned int value = (*p & 0x7F);
|
||||||
inlen--;
|
inlen--;
|
||||||
if (!inlen) {
|
while (inlen && *p & 0x80) {
|
||||||
sc_init_oid(id);
|
|
||||||
return SC_ERROR_INVALID_ASN1_OBJECT;
|
|
||||||
}
|
|
||||||
do {
|
|
||||||
/* Limit the OID values to int size and do not overflow */
|
/* Limit the OID values to int size and do not overflow */
|
||||||
if (a > (INT_MAX>>7)) {
|
if (value > (UINT_MAX>>7)) {
|
||||||
sc_init_oid(id);
|
sc_init_oid(id);
|
||||||
return SC_ERROR_NOT_SUPPORTED;
|
return SC_ERROR_NOT_SUPPORTED;
|
||||||
}
|
}
|
||||||
p++;
|
p++;
|
||||||
a <<= 7;
|
value <<= 7;
|
||||||
a |= *p & 0x7F;
|
value |= *p & 0x7F;
|
||||||
inlen--;
|
inlen--;
|
||||||
} while (inlen && *p & 0x80);
|
}
|
||||||
|
if (*p & 0x80) {
|
||||||
|
/* We dropped out from previous cycle on the end of
|
||||||
|
* data while still expecting continuation of value */
|
||||||
|
sc_init_oid(id);
|
||||||
|
return SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
}
|
||||||
/* In this case, the first octet was 2 */
|
/* In this case, the first octet was 2 */
|
||||||
*octet++ = a - (2 * 40);
|
value -= (2 * 40);
|
||||||
|
if (value > INT_MAX) {
|
||||||
|
sc_init_oid(id);
|
||||||
|
return SC_ERROR_NOT_SUPPORTED;
|
||||||
|
}
|
||||||
|
*octet++ = value;
|
||||||
}
|
}
|
||||||
|
|
||||||
while (inlen) {
|
while (inlen) {
|
||||||
|
@ -872,6 +880,12 @@ sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
|
||||||
a |= *p & 0x7F;
|
a |= *p & 0x7F;
|
||||||
inlen--;
|
inlen--;
|
||||||
}
|
}
|
||||||
|
if (*p & 0x80) {
|
||||||
|
/* We dropped out from previous cycle on the end of
|
||||||
|
* data while still expecting continuation of value */
|
||||||
|
sc_init_oid(id);
|
||||||
|
return SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
}
|
||||||
*octet++ = a;
|
*octet++ = a;
|
||||||
if (octet - id->value >= SC_MAX_OBJECT_ID_OCTETS) {
|
if (octet - id->value >= SC_MAX_OBJECT_ID_OCTETS) {
|
||||||
sc_init_oid(id);
|
sc_init_oid(id);
|
||||||
|
|
Loading…
Reference in New Issue