possible stack overflow due to recursion in ber_free_elements().
ok claudio@
-/* $OpenBSD: ber.c,v 1.17 2018/07/31 19:38:09 rob Exp $ */
+/* $OpenBSD: ber.c,v 1.18 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
long long val = 0;
struct ber_element *next;
unsigned int type;
- int i, class, cstruct;
+ int i, class, cstruct, elements = 0;
ssize_t len, r, totlen = 0;
u_char c;
}
next = elm->be_sub;
while (len > 0) {
+ /*
+ * Prevent stack overflow from excessive recursion
+ * depth in ber_free_elements().
+ */
+ if (elements >= BER_MAX_SEQ_ELEMENTS) {
+ errno = ERANGE;
+ return -1;
+ }
r = ber_read_element(ber, next);
if (r == -1)
return -1;
+ elements++;
len -= r;
if (len > 0 && next->be_next == NULL) {
if ((next->be_next = ber_get_element(0)) ==
-/* $OpenBSD: ber.h,v 1.5 2018/07/31 11:02:01 claudio Exp $ */
+/* $OpenBSD: ber.h,v 1.6 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
#define BER_CLASS_MASK 0x3
/* common definitions */
-#define BER_MIN_OID_LEN 2 /* OBJECT */
-#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MIN_OID_LEN 2 /* OBJECT */
+#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MAX_SEQ_ELEMENTS USHRT_MAX /* 65535 */
struct ber_oid {
u_int32_t bo_id[BER_MAX_OID_LEN + 1];
-/* $OpenBSD: ber.c,v 1.27 2018/07/31 19:38:09 rob Exp $ */
+/* $OpenBSD: ber.c,v 1.28 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
long long val = 0;
struct ber_element *next;
unsigned int type;
- int i, class, cstruct;
+ int i, class, cstruct, elements = 0;
ssize_t len, r, totlen = 0;
u_char c;
}
next = elm->be_sub;
while (len > 0) {
+ /*
+ * Prevent stack overflow from excessive recursion
+ * depth in ber_free_elements().
+ */
+ if (elements >= BER_MAX_SEQ_ELEMENTS) {
+ errno = ERANGE;
+ return -1;
+ }
r = ber_read_element(ber, next);
if (r == -1)
return -1;
+ elements++;
len -= r;
if (len > 0 && next->be_next == NULL) {
if ((next->be_next = ber_get_element(0)) ==
-/* $OpenBSD: ber.h,v 1.6 2018/07/31 11:01:00 claudio Exp $ */
+/* $OpenBSD: ber.h,v 1.7 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
#define BER_CLASS_MASK 0x3
/* common definitions */
-#define BER_MIN_OID_LEN 2 /* OBJECT */
-#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MIN_OID_LEN 2 /* OBJECT */
+#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MAX_SEQ_ELEMENTS USHRT_MAX /* 65535 */
struct ber_oid {
u_int32_t bo_id[BER_MAX_OID_LEN + 1];
-/* $OpenBSD: ber.c,v 1.46 2018/07/31 19:38:09 rob Exp $ */
+/* $OpenBSD: ber.c,v 1.47 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
long long val = 0;
struct ber_element *next;
unsigned int type;
- int i, class, cstruct;
+ int i, class, cstruct, elements = 0;
ssize_t len, r, totlen = 0;
u_char c;
}
next = elm->be_sub;
while (len > 0) {
+ /*
+ * Prevent stack overflow from excessive recursion
+ * depth in ber_free_elements().
+ */
+ if (elements >= BER_MAX_SEQ_ELEMENTS) {
+ errno = ERANGE;
+ return -1;
+ }
r = ber_read_element(ber, next);
if (r == -1)
return -1;
+ elements++;
len -= r;
if (len > 0 && next->be_next == NULL) {
if ((next->be_next = ber_get_element(0)) ==
-/* $OpenBSD: ber.h,v 1.12 2018/07/31 11:01:29 claudio Exp $ */
+/* $OpenBSD: ber.h,v 1.13 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
#define BER_CLASS_MASK 0x3
/* common definitions */
-#define BER_MIN_OID_LEN 2 /* OBJECT */
-#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MIN_OID_LEN 2 /* OBJECT */
+#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MAX_SEQ_ELEMENTS USHRT_MAX /* 65535 */
struct ber_oid {
u_int32_t bo_id[BER_MAX_OID_LEN + 1];
-/* $OpenBSD: ber.c,v 1.29 2018/07/31 19:38:09 rob Exp $ */
+/* $OpenBSD: ber.c,v 1.30 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
long long val = 0;
struct ber_element *next;
unsigned int type;
- int i, class, cstruct;
+ int i, class, cstruct, elements = 0;
ssize_t len, r, totlen = 0;
u_char c;
}
next = elm->be_sub;
while (len > 0) {
+ /*
+ * Prevent stack overflow from excessive recursion
+ * depth in ber_free_elements().
+ */
+ if (elements >= BER_MAX_SEQ_ELEMENTS) {
+ errno = ERANGE;
+ return -1;
+ }
r = ber_read_element(ber, next);
if (r == -1)
return -1;
+ elements++;
len -= r;
if (len > 0 && next->be_next == NULL) {
if ((next->be_next = ber_get_element(0)) ==
-/* $OpenBSD: ber.h,v 1.7 2018/07/31 11:00:12 claudio Exp $ */
+/* $OpenBSD: ber.h,v 1.8 2018/08/03 01:51:28 rob Exp $ */
/*
* Copyright (c) 2007, 2012 Reyk Floeter <reyk@openbsd.org>
#define BER_CLASS_MASK 0x3
/* common definitions */
-#define BER_MIN_OID_LEN 2 /* OBJECT */
-#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MIN_OID_LEN 2 /* OBJECT */
+#define BER_MAX_OID_LEN 32 /* OBJECT */
+#define BER_MAX_SEQ_ELEMENTS USHRT_MAX /* 65535 */
struct ber_oid {
u_int32_t bo_id[BER_MAX_OID_LEN + 1];
projects / openbsd / commitdiff