der/asn1: reduce max depth limit to 32

OpenSSL uses 30, so this seems a reasonable limit.

Set a smaller limit than before to reduce the resources spent on
specially crafted input designed to be maximally expensive.

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 2bdb63fab2aad79707c0c69149bfb85ffe0ddb1a..dbde7643cc527133fb294185a450f9f77ed05ac8 100644 (file)
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -130,6 +130,9 @@ static int Asn1SequenceAppend(Asn1Generic *seq, Asn1Generic *node)
     return 0;
 }
 
+/* openssl has set a limit of 30, so stay close to that. */
+#define DER_MAX_RECURSION_DEPTH 32
+
 static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer,
                                           uint32_t max_size, uint8_t depth,
                                           int seq_index, uint32_t *errcode)
@@ -143,7 +146,7 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer,
     uint8_t el_type;
 
     /* refuse excessive recursion */
-    if (unlikely(depth == 255)) {
+    if (unlikely(depth >= DER_MAX_RECURSION_DEPTH)) {
         *errcode = ERR_DER_RECURSION_LIMIT;
         return NULL;
     }