fixed DoS vulnerability in the parsing of ASN.1 time strings

1 files changed, 17 insertions, 4 deletions

diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index c8ebd7943..c7da87192 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -326,12 +326,18 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 	}
 	else if ((eot = memchr(utctime->ptr, '+', utctime->len)) != NULL)
 	{
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in positive timezone offset format */
+		}
 		tz_offset = 3600*tz_hour + 60*tz_min;  /* positive time zone offset */
 	}
 	else if ((eot = memchr(utctime->ptr, '-', utctime->len)) != NULL)
 	{
-		sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min);
+		if (sscanf(eot+1, "%2d%2d", &tz_hour, &tz_min) != 2)
+		{
+			return 0; /* error in negative timezone offset format */
+		}
 		tz_offset = -3600*tz_hour - 60*tz_min;  /* negative time zone offset */
 	}
 	else
@@ -344,13 +350,20 @@ time_t asn1_to_time(const chunk_t *utctime, asn1_t type)
 		const char* format = (type == ASN1_UTCTIME)? "%2d%2d%2d%2d%2d":
 													 "%4d%2d%2d%2d%2d";
 	
-		sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day, &tm_hour, &tm_min);
+		if (sscanf(utctime->ptr, format, &tm_year, &tm_mon, &tm_day,
+										 &tm_hour, &tm_min) != 5)
+		{
+			return 0; /* error in time st [yy]yymmddhhmm time format */
+		}
 	}
 	
 	/* is there a seconds field? */
 	if ((eot - utctime->ptr) == ((type == ASN1_UTCTIME)?12:14))
 	{
-		sscanf(eot-2, "%2d", &tm_sec);
+		if (sscanf(eot-2, "%2d", &tm_sec) != 1)
+		{
+			return 0; /* error in ss seconds field format */
+		}
 	}
 	else
 	{