sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

The RDN parser vulnerability discovered by Orange Labs research team

Browse Source 
was not completely fixed in version 4.2.16. Some more modifications
  had to be applied to the asn1_length() function.
This commit is contained in:
Andreas Steffen 2009-07-20 12:53:17 +02:00
parent 0fcfd0f5a3
commit d3875b13a9
2 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/libstrongswan/asn1/asn1.c
View File

@ -225,25 +225,32 @@ u_int asn1_length(chunk_t *blob)
u_char n;
size_t len;
/* advance from tag field on to length field */
blob->ptr++;
blob->len--;
if (blob->len < 2)
{
DBG2("insufficient number of octets to parse ASN.1 length");
return ASN1_INVALID_LENGTH;
}
/* read first octet of length field */
n = *blob->ptr++;
blob->len--;
/* read length field, skip tag and length */
n = blob->ptr[1];
*blob = chunk_skip(*blob, 2);
if ((n & 0x80) == 0)
{/* single length octet */
{ /* single length octet */
if (n > blob->len)
{
DBG2("length is larger than remaining blob size");
return ASN1_INVALID_LENGTH;
}
return n;
}
/* composite length, determine number of length octets */
n &= 0x7f;
if (n > blob->len)
if (n == 0 || n > blob->len)
{
DBG2("number of length octets is larger than ASN.1 object");
DBG2("number of length octets invalid");
return ASN1_INVALID_LENGTH;
}

23
src/pluto/asn1.c
View File

@ -153,6 +153,14 @@ asn1_length(chunk_t *blob)
u_char n;
size_t len;
if (blob->len < 2)
{
DBG(DBG_PARSING,
DBG_log("insufficient number of octets to parse ASN.1 length")
)
return ASN1_INVALID_LENGTH;
}
/* advance from tag field on to length field */
blob->ptr++;
blob->len--;
@ -161,16 +169,25 @@ asn1_length(chunk_t *blob)
n = *blob->ptr++;
blob->len--;
if ((n & 0x80) == 0) /* single length octet */
if ((n & 0x80) == 0)
{ /* single length octet */
if (n > blob->len)
{
DBG(DBG_PARSING,
DBG_log("length is larger than remaining blob size")
)
return ASN1_INVALID_LENGTH;
}
return n;
}
/* composite length, determine number of length octets */
n &= 0x7f;
if (n > blob->len)
if (n == 0 || n > blob->len)
{
DBG(DBG_PARSING,
DBG_log("number of length octets is larger than ASN.1 object")
DBG_log("number of length octets invalid")
)
return ASN1_INVALID_LENGTH;
}