diff options
-rw-r--r-- | lib/util/asn1.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/lib/util/asn1.c b/lib/util/asn1.c index 7e37fbc91b..7635ce2d88 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -527,6 +527,18 @@ bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag, size_t *size data->has_error = false; return false; } + if (n > 4) { + /* + * We should not allow more than 4 bytes + * for the encoding of the tag length. + * + * Otherwise we'd overflow the taglen + * variable on 32 bit systems. + */ + data->ofs = start_ofs; + data->has_error = false; + return false; + } taglen = b; while (n > 1) { if (!asn1_read_uint8(data, &b)) { @@ -1020,7 +1032,7 @@ NTSTATUS asn1_peek_full_tag(DATA_BLOB blob, uint8_t tag, size_t *packet_size) ok = asn1_peek_tag_needed_size(&asn1, tag, &size); if (!ok) { - return STATUS_MORE_ENTRIES; + return NT_STATUS_INVALID_BUFFER_SIZE; } if (size > blob.length) { |