From: Victor Julien <victor@inliniac.net>
Date: Mon, 10 Jul 2017 08:15:54 +0000 (+0200)
Subject: der/asn1: limit recursion
X-Git-Tag: suricata-4.0.0-rc2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df3a3c785734792da484d3f5547bdfcd20cc4f26;p=thirdparty%2Fsuricata.git

der/asn1: limit recursion

Limit the number of recursive calls in the DER/ASN.1 decoder to avoid
stack overflows.

Found using AFL.
---

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index d3fb3237f3..3153361d7b 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -139,6 +139,11 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer,
     Asn1Generic *child;
     uint8_t el_type;
 
+    /* refuse excessive recursion */
+    if (unlikely(depth == 255)) {
+        return NULL;
+    }
+
     el.cls = (d_ptr[0] & 0xc0) >> 6;
     el.pc = (d_ptr[0] & 0x20) >> 5;
     el.tag = (d_ptr[0] & 0x1f);