aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-02-09 23:34:24 (GMT)
committerJouni Malinen <j@w1.fi>2019-02-11 00:35:29 (GMT)
commit3eae9766b7e3aee20f6e6828e1468d244635f451 (patch)
tree61439da5a742fb017256fa4ffe55f9ba186e73e0
parentfbc2123a14319035b36f493af7584200f6169244 (diff)
downloadhostap-3eae9766b7e3aee20f6e6828e1468d244635f451.zip
hostap-3eae9766b7e3aee20f6e6828e1468d244635f451.tar.gz
hostap-3eae9766b7e3aee20f6e6828e1468d244635f451.tar.bz2
TLS: Fix ASN.1 parsing with no room for the header
Explicitly check the remaining buffer length before trying to read the ASN.1 header values. Attempt to parse an ASN.1 header when there was not enough buffer room for it would have started by reading one or two octets beyond the end of the buffer before reporting invalid data at the following explicit check for buffer room. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/tls/asn1.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/tls/asn1.c b/src/tls/asn1.c
index cec1092..822f87c 100644
--- a/src/tls/asn1.c
+++ b/src/tls/asn1.c
@@ -31,6 +31,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
pos = buf;
end = buf + len;
+ if (pos >= end) {
+ wpa_printf(MSG_DEBUG, "ASN.1: No room for Identifier");
+ return -1;
+ }
hdr->identifier = *pos++;
hdr->class = hdr->identifier >> 6;
hdr->constructed = !!(hdr->identifier & (1 << 5));
@@ -51,6 +55,10 @@ int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
} else
hdr->tag = hdr->identifier & 0x1f;
+ if (pos >= end) {
+ wpa_printf(MSG_DEBUG, "ASN.1: No room for Length");
+ return -1;
+ }
tmp = *pos++;
if (tmp & 0x80) {
if (tmp == 0xff) {