From 8f885ce8108dd1885bd5fec8d55cb111890a82e8 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Mon, 28 Nov 2011 10:14:28 +0100
Subject: [PATCH] TLS parser: add sanity checks on loop

It was possible in some loop to read data placed after the buffer
resulting in invalid/unpredictable value. This patch fixes two of
this issues.
---
 src/util-decode-der.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 2f530b84a7..75a1ed3b00 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -206,6 +206,12 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint32_t
                 d_ptr++;
             } else { /* long form 8.1.3.5 */
                 numbytes = c & 0x7f;
+                if (numbytes > el_max_size) {
+                    SCFree(child);
+                    SCLogWarning(SC_ERR_INVALID_VALUE,
+                                 "DER message requires to read over message");
+                    return NULL;
+                }
                 child->length = 0;
                 d_ptr++;
                 for (i=0; i<numbytes; i++) {
@@ -235,6 +241,13 @@ static Asn1Generic * DecodeAsn1DerInteger(const unsigned char *buffer, uint32_t
     Asn1Generic *a;
 
     numbytes = d_ptr[1];
+
+    if (numbytes > size) {
+        SCLogWarning(SC_ERR_INVALID_VALUE,
+                     "DER message requires to read over available data");
+        return NULL;
+    }
+
     d_ptr += 2;
 
     value = 0;
-- 
2.47.2