From: Victor Julien <victor@inliniac.net>
Date: Fri, 20 Sep 2019 15:12:17 +0000 (+0200)
Subject: der/asn1: don't pass on more data than is specified
X-Git-Tag: suricata-5.0.0-rc1~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=335ad2d8cc1c7dae39ee3a9f8523fd7384663465;p=thirdparty%2Fsuricata.git

der/asn1: don't pass on more data than is specified

Set and Sequence parsers would pass on max available data instead
of the size of their object.

Malformed data could trigger massive recursion this way, leading
to spending much more resources than necessary.

Found using AFL.

Bug #3185.
---

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 53fab0edf0..2bdb63fab2 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -846,8 +846,9 @@ static Asn1Generic * DecodeAsn1DerSequence(const unsigned char *buffer,
     while (parsed_bytes < d_length) {
         el_max_size = max_size - (d_ptr-buffer);
 
-        Asn1Generic *child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth,
-                                                  seq_index, errcode);
+        Asn1Generic *child = DecodeAsn1DerGeneric(d_ptr,
+                MIN(node->length, el_max_size), depth,
+                seq_index, errcode);
         if (child == NULL) {
             if (*errcode != 0) {
                 DerFree(node);
@@ -924,7 +925,8 @@ static Asn1Generic * DecodeAsn1DerSet(const unsigned char *buffer,
 
     el_max_size = max_size - (d_ptr-buffer);
 
-    child = DecodeAsn1DerGeneric(d_ptr, el_max_size, depth, seq_index, errcode);
+    child = DecodeAsn1DerGeneric(d_ptr, MIN(node->length, el_max_size),
+            depth, seq_index, errcode);
     if (child == NULL) {
         DerFree(node);
         return NULL;