mirror of https://gerrit.osmocom.org/asn1c
finally got it right
This commit is contained in:
parent
1eded3544e
commit
97c5cfc8c5
|
@ -51,6 +51,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
|
||||||
}
|
}
|
||||||
|
|
||||||
if(oct == 0) {
|
if(oct == 0) {
|
||||||
|
ber_tlv_len_t lenplusepsilon = len + 1024;
|
||||||
/*
|
/*
|
||||||
* Here length may be very close or equal to 2G.
|
* Here length may be very close or equal to 2G.
|
||||||
* However, the arithmetics used in some decoders
|
* However, the arithmetics used in some decoders
|
||||||
|
@ -58,7 +59,7 @@ ber_fetch_length(int _is_constructed, const void *bufptr, size_t size,
|
||||||
* to check the resulting value against some limits.
|
* to check the resulting value against some limits.
|
||||||
* This may result in integer wrap-around.
|
* This may result in integer wrap-around.
|
||||||
*/
|
*/
|
||||||
if((len + 1024) < len - 1024) {
|
if(lenplusepsilon < 0) {
|
||||||
/* Too large length value */
|
/* Too large length value */
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -112,9 +112,11 @@ main() {
|
||||||
* Here although tlv_len is not greater than 2^31,
|
* Here although tlv_len is not greater than 2^31,
|
||||||
* we ought to hit an embedded length exploitation preventive check.
|
* we ought to hit an embedded length exploitation preventive check.
|
||||||
*/
|
*/
|
||||||
|
printf("sizeof(tlv_len) = %d\n", (int)sizeof(tlv_len));
|
||||||
if(sizeof(tlv_len) <= 4) {
|
if(sizeof(tlv_len) <= 4) {
|
||||||
ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
|
ret = ber_fetch_length(0, buf3, sizeof(buf3), &tlv_len);
|
||||||
printf("ret=%ld\n", (long)ret);
|
printf("ret=%ld\n", (long)ret);
|
||||||
|
printf("len=0x%x\n", (long)tlv_len);
|
||||||
assert(ret == -1);
|
assert(ret == -1);
|
||||||
}
|
}
|
||||||
if(sizeof(tlv_len) <= 8) {
|
if(sizeof(tlv_len) <= 8) {
|
||||||
|
|
Loading…
Reference in New Issue