Don't handle PKCS#7 containers with infinite length encodings in pkcs7 plugin

diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
index 0a8b1bbd047bdc939d22e71eba94d8663a2d95c1..13fe5f54abc25cec31cb4e39ffd1f8937eb615a6 100644 (file)
--- a/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
+++ b/src/libstrongswan/plugins/pkcs7/pkcs7_generic.c
@@ -114,6 +114,12 @@ pkcs7_t *pkcs7_generic_load(container_type_t type, va_list args)
        }
        if (blob.len)
        {
+               if (blob.len >= 2 &&
+                       blob.ptr[0] == ASN1_SEQUENCE && blob.ptr[1] == 0x80)
+               {       /* looks like infinite lenght BER encoding, but we can't handle it.
+                        * ignore silently, our openssl backend can handle it */
+                       return NULL;
+               }
                return parse_contentInfo(blob);
        }
        return NULL;