From: Eric Leblond <eric@regit.org>
Date: Mon, 28 Nov 2011 09:14:28 +0000 (+0100)
Subject: TLS parser: add sanity checks on loop
X-Git-Tag: suricata-1.3beta1~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f885ce8108dd1885bd5fec8d55cb111890a82e8;p=thirdparty%2Fsuricata.git

TLS parser: add sanity checks on loop

It was possible in some loop to read data placed after the buffer
resulting in invalid/unpredictable value. This patch fixes two of
this issues.
---

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 2f530b84a7..75a1ed3b00 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -206,6 +206,12 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint32_t
                 d_ptr++;
             } else { /* long form 8.1.3.5 */
                 numbytes = c & 0x7f;
+                if (numbytes > el_max_size) {
+                    SCFree(child);
+                    SCLogWarning(SC_ERR_INVALID_VALUE,
+                                 "DER message requires to read over message");
+                    return NULL;
+                }
                 child->length = 0;
                 d_ptr++;
                 for (i=0; i<numbytes; i++) {
@@ -235,6 +241,13 @@ static Asn1Generic * DecodeAsn1DerInteger(const unsigned char *buffer, uint32_t
     Asn1Generic *a;
 
     numbytes = d_ptr[1];
+
+    if (numbytes > size) {
+        SCLogWarning(SC_ERR_INVALID_VALUE,
+                     "DER message requires to read over available data");
+        return NULL;
+    }
+
     d_ptr += 2;
 
     value = 0;