further limit OID encoding

due to rules of first 2 fields are (x*40) + y, if the first
component is 0 or 1, then the second component has to be 0..39

If the first component is 2, then the second component can be
anything.

diff --git a/src/protocols/der/encode.c b/src/protocols/der/encode.c
index 870b83e46653d3f1b13afeb550878699b24c6847..4c2e5640cc5ea8dc2a0ac44c00c9de2a28dd6248 100644 (file)
--- a/src/protocols/der/encode.c
+++ b/src/protocols/der/encode.c
@@ -499,7 +499,13 @@ static ssize_t fr_der_encode_oid_to_str(fr_dbuff_t *dbuff, const char *oid_str)
                 *      The initial packed field has the first two compenents included, as (x * 40) + y.
                 */
                if (first) {
-                       if (oid > (((unsigned long long) 1) << 60)) goto invalid_oid; /* avoid overflow */
+                       if (first_component < 2) {
+                               if (oid >= 40) goto invalid_oid;
+
+                       } else {
+                               if (oid > (((unsigned long long) 1) << 60)) goto invalid_oid; /* avoid overflow */
+                       }
+
                        first = false;
                        oid += first_component * 40;
                }