CVE-2020-10704: lib util asn1: Check parse tree depth

Check the current depth of the parse tree and reject the input if the
depth exceeds that passed to asn1_init

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index c6c2f3bbec20c0c94be548ee978046c7926d0389..def71585d3847db2350e1dfe96522844e9d71e3a 100644 (file)
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -640,6 +640,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
        uint8_t b;
        struct nesting *nesting;
 
+       /*
+        * Check the depth of the parse tree and prevent it from growing
+        * too large.
+        */
+       data->depth++;
+       if (data->depth > data->max_depth) {
+               data->has_error = true;
+               return false;
+       }
+
        if (!asn1_read_uint8(data, &b))
                return false;
 
@@ -696,6 +706,9 @@ bool asn1_end_tag(struct asn1_data *data)
 {
        struct nesting *nesting;
 
+       if (data->depth > 0) {
+               data->depth--;
+       }
        /* make sure we read it all */
        if (asn1_tag_remaining(data) != 0) {
                data->has_error = true;

diff --git a/selftest/knownfail.d/ldap_message b/selftest/knownfail.d/ldap_message
deleted file mode 100644 (file)
index 242eff4..0000000
--- a/selftest/knownfail.d/ldap_message
+++ /dev/null
@@ -1,2 +0,0 @@
-^libcli.ldap.ldap_message.test_recursion_depth_greater_than_max\(none\)
-^libcli.ldap.ldap_message.test_recursion_depth_large\(none\)