From 335ad2d8cc1c7dae39ee3a9f8523fd7384663465 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 20 Sep 2019 17:12:17 +0200
Subject: [PATCH] der/asn1: don't pass on more data than is specified

Set and Sequence parsers would pass on max available data instead
of the size of their object.

Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.

Found using AFL.

Bug #3185.
---
 src/util-decode-der.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 53fab0edf0..2bdb63fab2 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -846,8 +846,9 @@ static Asn1Generic * DecodeAsn1DerSequence(const unsigned char *buffer,
     while (parsed_bytes < d_length) {
         el_max_size = max_size - (d_ptr-buffer);
 
-        Asn1Generic *child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth,
-                                                  seq_index, errcode);
+        Asn1Generic *child = DecodeAsn1DerGeneric(d_ptr,
+                MIN(node->length, el_max_size), depth,
+                seq_index, errcode);
         if (child == NULL) {
             if (*errcode != 0) {
                 DerFree(node);
@@ -924,7 +925,8 @@ static Asn1Generic * DecodeAsn1DerSet(const unsigned char *buffer,
 
     el_max_size = max_size - (d_ptr-buffer);
 
-    child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth, seq_index, errcode);
+    child = DecodeAsn1DerGeneric(d_ptr, MIN(node->length, el_max_size),
+            depth, seq_index, errcode);
     if (child == NULL) {
         DerFree(node);
         return NULL;
-- 
2.47.2