From ef35bb12674bf591385c4629c84b1a76f231755b Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 8 Apr 2020 15:30:52 +1200 Subject: [PATCH] CVE-2020-10704: lib util asn1: Check parse tree depth Check the current depth of the parse tree and reject the input if the depth exceeds that passed to asn1_init Credit to OSS-Fuzz REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334 Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett --- lib/util/asn1.c | 13 +++++++++++++ selftest/knownfail.d/ldap_message | 2 -- 2 files changed, 13 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/ldap_message diff --git a/lib/util/asn1.c b/lib/util/asn1.c index ec6e674ce20..ee3cff9cb65 100644 --- a/lib/util/asn1.c +++ b/lib/util/asn1.c @@ -647,6 +647,16 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag) uint8_t b; struct nesting *nesting; + /* + * Check the depth of the parse tree and prevent it from growing + * too large. + */ + data->depth++; + if (data->depth > data->max_depth) { + data->has_error = true; + return false; + } + if (!asn1_read_uint8(data, &b)) return false; @@ -703,6 +713,9 @@ bool asn1_end_tag(struct asn1_data *data) { struct nesting *nesting; + if (data->depth > 0) { + data->depth--; + } /* make sure we read it all */ if (asn1_tag_remaining(data) != 0) { data->has_error = true; diff --git a/selftest/knownfail.d/ldap_message b/selftest/knownfail.d/ldap_message deleted file mode 100644 index 242eff45e59..00000000000 --- a/selftest/knownfail.d/ldap_message +++ /dev/null @@ -1,2 +0,0 @@ -^libcli.ldap.ldap_message.test_recursion_depth_greater_than_max\(none\) -^libcli.ldap.ldap_message.test_recursion_depth_large\(none\) -- 2.47.2