tls: DER length byte 0x81 is actually valid

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2017-01-14 22:38:25 +01:00 · 2017-01-14 22:38:25 +01:00 · 2a17d1fc9b
commit 2a17d1fc9b
parent b1003f7019
1 changed files with 16 additions and 11 deletions
--- a/networking/tls.c
+++ b/networking/tls.c
@ -348,7 +348,7 @@ static void get_server_hello_or_die(tls_state_t *tls)
 static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end)
 {
-	unsigned len;
+	unsigned len, len1;
 	if (end - der < 2)
 		xfunc_die();
@ -358,24 +358,29 @@ static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end)
 	len = der[1]; /* maybe it's short len */
 	if (len >= 0x80) {
 		/* no */
-		if (len != 0x82) {
+		if (end - der < (int)(len - 0x7e)) /* need 3 or 4 bytes for 81, 82 */
 			xfunc_die();
 		len1 = der[2];
 		if (len == 0x81) {
 			/* it's "ii 81 xx" */
 		} else if (len == 0x82) {
 			/* it's "ii 82 xx yy" */
 			len1 = 0x100*len1 + der[3];
 			der += 1; /* skip [yy] */
 		} else {
 			/* 0x80 is "0 bytes of len", invalid DER: must use short len if can */
 			/* 0x81 is "1 byte of len", invalid DER */
 			/* >0x82 is "3+ bytes of len", should not happen realistically */
 			xfunc_die();
 		}
-		if (end - der < 4)
+		der += 1; /* skip [xx] */
-			xfunc_die();
+		len = len1;
 		/* it's "ii 82 xx yy" */
 		len = 0x100*der[2] + der[3];
 //		if (len < 0x80)
 //			xfunc_die(); /* invalid DER: must use short len if can */
 		der += 2; /* skip [code]+[82]+[2byte_len] */
 	}
-	der += 2; /* skip [code]+[1byte_len] */
+	der += 2; /* skip [code]+[1byte] */
-	if (end - der < len)
+	if (end - der < (int)len)
 		xfunc_die();
 	*bodyp = der;