Backport of:

From d3be674c3ffa3541e2ba757e2c6dfb32508db440 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Wed, 8 Apr 2020 15:30:52 +1200
Subject: [PATCH 3/8] CVE-2020-10704: lib util asn1: Check parse tree depth

Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 lib/util/asn1.c                   | 13 +++++++++++++
 selftest/knownfail.d/ldap_message |  2 --
 2 files changed, 13 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/ldap_message

--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -647,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *da
 	uint8_t b;
 	struct nesting *nesting;
 
+	/*
+	 * Check the depth of the parse tree and prevent it from growing
+	 * too large.
+	 */
+	data->depth++;
+	if (data->depth > data->max_depth) {
+		data->has_error = true;
+		return false;
+	}
+
 	if (!asn1_read_uint8(data, &b))
 		return false;
 
@@ -703,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data
 {
 	struct nesting *nesting;
 
+	if (data->depth > 0) {
+		data->depth--;
+	}
 	/* make sure we read it all */
 	if (asn1_tag_remaining(data) != 0) {
 		data->has_error = true;