From: Amos Jeffries <amosjeffries@squid-cache.org>
Date: Thu, 19 Jun 2008 05:32:28 +0000 (-0600)
Subject: Author: Henrik Nordstrom <henrik@henriknordstrom.net>
X-Git-Tag: SQUID_3_0_STABLE7~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21ae36c9b0b6a584c58f0492e33c5f570668813c;p=thirdparty%2Fsquid.git

Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Reject ridiculously large ASN.1 lengths
---

diff --git a/snmplib/asn1.c b/snmplib/asn1.c
index bfdd3fda04..5ad7d7515b 100644
--- a/snmplib/asn1.c
+++ b/snmplib/asn1.c
@@ -324,10 +324,10 @@ asn_build_unsigned_int(u_char * data, int *datalength,
 	return (NULL);
     }
     integer = *intp;
-    mask = (u_int) 0xFF << (8 * (sizeof(int) - 1));
-    /* mask is 0xFF000000 on a big-endian machine */
-    if ((u_char) ((integer & mask) >> (8 * (sizeof(int) - 1))) & 0x80) {
-	/* if MSB is set */
+    mask = (u_int) 0x80 << (8 * (sizeof(int) - 1));
+    /* mask is 0x80000000 on a big-endian machine */
+    if ((integer & mask) != 0) {
+	/* add a null byte if MSB is set, to prevent sign extension */
 	add_null_byte = 1;
 	intsize++;
     }
@@ -336,11 +336,11 @@ asn_build_unsigned_int(u_char * data, int *datalength,
      * this 2's complement integer. 
      * There should be no sequence of 9 consecutive 1's or 0's at the
      * most significant end of the integer.
+     * The 1's case is taken care of above by adding a null byte.
      */
     mask = (u_int) 0x1FF << ((8 * (sizeof(int) - 1)) - 1);
     /* mask is 0xFF800000 on a big-endian machine */
-    while ((((integer & mask) == 0)
-	    || ((integer & mask) == mask)) && intsize > 1) {
+    while (((integer & mask) == 0) && intsize > 1) {
 	intsize--;
 	integer <<= 8;
     }