fixed DoS vulnerability in the parsing of distinguished names

author: Andreas Steffen <andreas.steffen@strongswan.org> 2009-06-09 22:03:33 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2009-06-09 22:03:33 +0200
commit: b29832c74ff6935584cb7fe969c50fe1c3eaaded (patch)
tree: 510c62e4e91b87b6f163fcb49e027e05f757a5de /src
parent: 260158e53e53c08a21f2ee7f59479c53fe842ef9 (diff)
download: strongswan-b29832c74ff6935584cb7fe969c50fe1c3eaaded.tar.bz2
strongswan-b29832c74ff6935584cb7fe969c50fe1c3eaaded.tar.xz
2 files changed, 6 insertions, 1 deletions
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d57444d67..c8ebd7943 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -296,6 +296,11 @@ size_t asn1_length(chunk_t *blob)
 		len = 256*len + *blob->ptr++;
 		blob->len--;
 	}
+	if (len > blob->len)
+	{
+		DBG2("length is larger than remaining blob size");
+		return ASN1_INVALID_LENGTH;
+	}
 	return len;
 }
 
diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
index 4a0fafda7..bc4c0b50f 100644
--- a/src/libstrongswan/asn1/asn1_parser.c
+++ b/src/libstrongswan/asn1/asn1_parser.c
@@ -158,7 +158,7 @@ static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object)
 	
 	blob1->len = asn1_length(blob);
 	
-	if (blob1->len == ASN1_INVALID_LENGTH || blob->len < blob1->len)
+	if (blob1->len == ASN1_INVALID_LENGTH)
 	{
 		DBG1("L%d - %s:  length of ASN.1 object invalid or too large", 
 					level, obj.name);
author	Andreas Steffen <andreas.steffen@strongswan.org>	2009-06-09 22:03:33 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2009-06-09 22:03:33 +0200
commit	b29832c74ff6935584cb7fe969c50fe1c3eaaded (patch)
tree	510c62e4e91b87b6f163fcb49e027e05f757a5de /src
parent	260158e53e53c08a21f2ee7f59479c53fe842ef9 (diff)
download	strongswan-b29832c74ff6935584cb7fe969c50fe1c3eaaded.tar.bz2 strongswan-b29832c74ff6935584cb7fe969c50fe1c3eaaded.tar.xz