TLS parser: add sanity checks on loop

It was possible in some loop to read data placed after the buffer
resulting in invalid/unpredictable value. This patch fixes two of
this issues.

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 2f530b84a7291667e71f308aacae79ee5ce92b6d..75a1ed3b009d6c21a87b13146209fa943b3bd227 100644 (file)
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -206,6 +206,12 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint32_t
                 d_ptr++;
             } else { /* long form 8.1.3.5 */
                 numbytes = c & 0x7f;
+                if (numbytes > el_max_size) {
+                    SCFree(child);
+                    SCLogWarning(SC_ERR_INVALID_VALUE,
+                                 "DER message requires to read over message");
+                    return NULL;
+                }
                 child->length = 0;
                 d_ptr++;
                 for (i=0; i<numbytes; i++) {
@@ -235,6 +241,13 @@ static Asn1Generic * DecodeAsn1DerInteger(const unsigned char *buffer, uint32_t
     Asn1Generic *a;
 
     numbytes = d_ptr[1];
+
+    if (numbytes > size) {
+        SCLogWarning(SC_ERR_INVALID_VALUE,
+                     "DER message requires to read over available data");
+        return NULL;
+    }
+
     d_ptr += 2;
 
     value = 0;