mirror of https://gerrit.osmocom.org/asn1c
finally got it right
This commit is contained in:
parent
1eded3544e
commit
97c5cfc8c5
|
@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
|
|||
}
|
||||
|
||||
if(oct == 0) {
|
||||
ber_tlv_len_t lenplusepsilon = len + 1024;
|
||||
/*
|
||||
* Here length may be very close or equal to 2G.
|
||||
* However, the arithmetics used in some decoders
|
||||
|
@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
|
|||
* to check the resulting value against some limits.
|
||||
* This may result in integer wrap-around.
|
||||
*/
|
||||
if((len + 1024) < len - 1024) {
|
||||
if(lenplusepsilon < 0) {
|
||||
/* Too large length value */
|
||||
return -1;
|
||||
}
|
||||
|
|
|
@ -112,9 +112,11 @@ main() {
|
|||
* Here although tlv_len is not greater than 2^31,
|
||||
* we ought to hit an embedded length exploitation preventive check.
|
||||
*/
|
||||
printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len));
|
||||
if(sizeof(tlv_len) <= 4) {
|
||||
ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
|
||||
printf("ret=%ld\n", (long)ret);
|
||||
printf("len=0x%x\n", (long)tlv_len);
|
||||
assert(ret == -1);
|
||||
}
|
||||
if(sizeof(tlv_len) <= 8) {
|
||||
|
|
Loading…
Reference in New Issue