53 lines
1.4 KiB
Diff
53 lines
1.4 KiB
Diff
Backport of:
|
|
|
|
From d3be674c3ffa3541e2ba757e2c6dfb32508db440 Mon Sep 17 00:00:00 2001
|
|
From: Gary Lockyer <gary@catalyst.net.nz>
|
|
Date: Wed, 8 Apr 2020 15:30:52 +1200
|
|
Subject: [PATCH 3/8] CVE-2020-10704: lib util asn1: Check parse tree depth
|
|
|
|
Check the current depth of the parse tree and reject the input if the
|
|
depth exceeds that passed to asn1_init
|
|
|
|
Credit to OSS-Fuzz
|
|
|
|
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
|
|
|
|
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
---
|
|
lib/util/asn1.c | 13 +++++++++++++
|
|
selftest/knownfail.d/ldap_message | 2 --
|
|
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
delete mode 100644 selftest/knownfail.d/ldap_message
|
|
|
|
--- a/lib/util/asn1.c
|
|
+++ b/lib/util/asn1.c
|
|
@@ -647,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *da
|
|
uint8_t b;
|
|
struct nesting *nesting;
|
|
|
|
+ /*
|
|
+ * Check the depth of the parse tree and prevent it from growing
|
|
+ * too large.
|
|
+ */
|
|
+ data->depth++;
|
|
+ if (data->depth > data->max_depth) {
|
|
+ data->has_error = true;
|
|
+ return false;
|
|
+ }
|
|
+
|
|
if (!asn1_read_uint8(data, &b))
|
|
return false;
|
|
|
|
@@ -703,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data
|
|
{
|
|
struct nesting *nesting;
|
|
|
|
+ if (data->depth > 0) {
|
|
+ data->depth--;
|
|
+ }
|
|
/* make sure we read it all */
|
|
if (asn1_tag_remaining(data) != 0) {
|
|
data->has_error = true;
|