*** empty log message ***

git-svn-id: https://asn1c.svn.sourceforge.net/svnroot/asn1c/trunk@1114 59561ff5-6e30-0410-9f3c-9617f08c8826
2006-07-13 09:22:34 +00:00 · 2006-07-13 09:22:34 +00:00 · 735e461d92
parent 1aeadddd63
commit 735e461d92
3 changed files with 38 additions and 24 deletions
--- a/skeletons/ber_tlv_length.c
+++ b/skeletons/ber_tlv_length.c
@ -51,7 +51,6 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 		}

 		if(oct == 0) {
-
 			/*
 			 * Here length may be very close or equal to 2G.
 			 * However, the arithmetics used in some decoders
@ -59,7 +58,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
 			 * to check the resulting value against some limits.
 			 * This may result in integer wrap-around.
 			 */
-			if((len + 1024) < 0) {
+			if((len + 1024) < len - 1024) {
 				/* Too large length value */
 				return -1;
 			}
--- a/skeletons/tests/check-OIDs.c
+++ b/skeletons/tests/check-OIDs.c
@ -121,11 +121,13 @@ check_REGEN(int *arcs, int acount) {
 	int ret;
 	int i;

-	fprintf(stderr, "Encoding (R) {");
-	for(i = 0; i < acount; i++) {
-		fprintf(stderr, " %u", arcs[i]);
+	if(0) {
+		fprintf(stderr, "Encoding (R) {");
+		for(i = 0; i < acount; i++) {
+			fprintf(stderr, " %u", arcs[i]);
+		}
+		fprintf(stderr, " }\n");
 	}
-	fprintf(stderr, " }\n");

 	ret = RELATIVE_OID_set_arcs(&oid, arcs, sizeof(arcs[0]), acount);
 	assert(ret == 0);
@ -137,12 +139,15 @@ check_REGEN(int *arcs, int acount) {
 	assert(alen <= tmp_alen);
 	assert(alen == acount);

-	fprintf(stderr, "Encoded  (R) { ");
-	for(i = 0; i < alen; i++) {
-		fprintf(stderr, "%lu ", tmp_arcs[i]); fflush(stdout);
-		assert(arcs[i] == (int)tmp_arcs[i]);
+	if(0) {
+		fprintf(stderr, "Encoded  (R) { ");
+		for(i = 0; i < alen; i++) {
+			fprintf(stderr, "%lu ", tmp_arcs[i]); fflush(stdout);
+			assert(arcs[i] == (int)tmp_arcs[i]);
+		}
+		fprintf(stderr, "}\n");
 	}
-	fprintf(stderr, "}\n");
+
 }

 /*
@ -158,11 +163,13 @@ check_REGEN_OID(int *arcs, int acount) {
 	int ret;
 	int i;

-	fprintf(stderr, "Encoding (O) {");
-	for(i = 0; i < acount; i++) {
-		fprintf(stderr, " %u", arcs[i]);
+	if(0) {
+		fprintf(stderr, "Encoding (O) {");
+		for(i = 0; i < acount; i++) {
+			fprintf(stderr, " %u", arcs[i]);
+		}
+		fprintf(stderr, " }\n");
 	}
-	fprintf(stderr, " }\n");

 	ret = OBJECT_IDENTIFIER_set_arcs(&oid, arcs, sizeof(arcs[0]), acount);
 	assert(ret == 0);
@ -174,14 +181,15 @@ check_REGEN_OID(int *arcs, int acount) {
 	assert(alen <= tmp_alen);
 	assert(alen == acount);

-	fprintf(stderr, "Encoded  (O) { ");
-	for(i = 0; i < alen; i++) {
-		fprintf(stderr, "%lu ", tmp_arcs[i]); fflush(stdout);
-		assert(arcs[i] == (int)tmp_arcs[i]);
+	if(0) {
+		fprintf(stderr, "Encoded  (O) { ");
+		for(i = 0; i < alen; i++) {
+			fprintf(stderr, "%lu ", tmp_arcs[i]); fflush(stdout);
+			assert(arcs[i] == (int)tmp_arcs[i]);
+		}
+		fprintf(stderr, "}\n");
 	}
-	fprintf(stderr, "}\n");
 }
-
 static int
 check_speed() {
 	uint8_t buf[] = { 0x80 | 7, 0x80 | 2, 0x80 | 3, 0x80 | 4, 13 };
--- a/skeletons/tests/check-length.c
+++ b/skeletons/tests/check-length.c
@ -101,18 +101,25 @@ main() {
 	ret = ber_fetch_length(0, buf1, sizeof(buf1), &tlv_len);
 	printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len);
 	assert(ret == sizeof(buf1));
+	assert(tlv_len == 0x01020304);

 	ret = ber_fetch_length(0, buf2, sizeof(buf2), &tlv_len);
 	printf("ret=%ld, len=%ld\n", (long)ret, (long)tlv_len);
 	assert(ret == sizeof(buf2));
+	assert(tlv_len == 0x7fff0304);

-	if(sizeof(tlv_len) == 4) {
+	/*
+	 * Here although tlv_len is not greater than 2^31,
+	 * we ought to hit an embedded length exploitation preventive check.
+	 */
+	if(sizeof(tlv_len) <= 4) {
 		ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
 		printf("ret=%ld\n", (long)ret);
 		assert(ret == -1);
-	} else if(sizeof(tlv_len) == 8) {
+	}
+	if(sizeof(tlv_len) <= 8) {
 		ret = ber_fetch_length(0, buf4, sizeof(buf4), &tlv_len);
-		printf("ret=%ld\n", (long)ret);
+		printf("ret=%lld\n", (long long)ret);
 		assert(ret == -1);
 	}