diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2007-06-13 05:44:24 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:53:18 -0500 |
| commit | 91adebe749beb0dc23cacaea316cb2b724776aad (patch) | |
| tree | 133d480f5b23b99fcf1149861136103dc4525cb1 /source4/heimdal/lib/asn1/der_get.c | |
| parent | f7110d928afd61cee203d07fd85968af993a327f (diff) | |
| download | samba-91adebe749beb0dc23cacaea316cb2b724776aad.tar.gz samba-91adebe749beb0dc23cacaea316cb2b724776aad.tar.bz2 samba-91adebe749beb0dc23cacaea316cb2b724776aad.zip | |
r23456: Update Samba4 to current lorikeet-heimdal.
Andrew Bartlett
(This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
Diffstat (limited to 'source4/heimdal/lib/asn1/der_get.c')
| -rw-r--r-- | source4/heimdal/lib/asn1/der_get.c | 28 |
1 files changed, 24 insertions, 4 deletions
diff --git a/source4/heimdal/lib/asn1/der_get.c b/source4/heimdal/lib/asn1/der_get.c index a1ed23f10b..3022435b33 100644 --- a/source4/heimdal/lib/asn1/der_get.c +++ b/source4/heimdal/lib/asn1/der_get.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$Id: der_get.c,v 1.51 2006/12/28 17:14:25 lha Exp $"); +RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $"); #include <version.h> @@ -135,8 +135,21 @@ int der_get_general_string (const unsigned char *p, size_t len, heim_general_string *str, size_t *size) { + const unsigned char *p1; char *s; + p1 = memchr(p, 0, len); + if (p1 != NULL) { + /* + * Allow trailing NULs. We allow this since MIT Kerberos sends + * an strings in the NEED_PREAUTH case that includes a + * trailing NUL. + */ + while (p1 - p < len && *p1 == '\0') + p1++; + if (p1 - p != len) + return ASN1_BAD_CHARACTER; + } if (len > len + 1) return ASN1_BAD_LENGTH; @@ -180,6 +193,8 @@ der_get_bmp_string (const unsigned char *p, size_t len, if (len & 1) return ASN1_BAD_FORMAT; data->length = len / 2; + if (data->length > UINT_MAX/sizeof(data->data[0])) + return ERANGE; data->data = malloc(data->length * sizeof(data->data[0])); if (data->data == NULL && data->length != 0) return ENOMEM; @@ -202,6 +217,8 @@ der_get_universal_string (const unsigned char *p, size_t len, if (len & 3) return ASN1_BAD_FORMAT; data->length = len / 4; + if (data->length > UINT_MAX/sizeof(data->data[0])) + return ERANGE; data->data = malloc(data->length * sizeof(data->data[0])); if (data->data == NULL && data->length != 0) return ENOMEM; @@ -366,7 +383,7 @@ int der_get_oid (const unsigned char *p, size_t len, heim_oid *data, size_t *size) { - int n; + size_t n; size_t oldlen = len; if (len < 1) @@ -375,7 +392,10 @@ der_get_oid (const unsigned char *p, size_t len, if (len > len + 1) return ASN1_BAD_LENGTH; - data->components = malloc((len + 1) * sizeof(*data->components)); + if (len + 1 > UINT_MAX/sizeof(data->components[0])) + return ERANGE; + + data->components = malloc((len + 1) * sizeof(data->components[0])); if (data->components == NULL) return ENOMEM; data->components[0] = (*p) / 40; |