From: Volker Lendecke <vl@samba.org>
Date: Fri, 5 Feb 2016 20:58:45 +0000 (-0800)
Subject: asn1: Protect against overlong tag lengths
X-Git-Tag: tevent-0.9.27~40
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f60f7a62e259ec518c94c08b23ef0dce9d41083b;p=thirdparty%2Fsamba.git

asn1: Protect against overlong tag lengths

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 9aa9772e013..dc7f679fa61 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -641,9 +641,20 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
 			return false;
 		nesting->taglen = b;
 		while (n > 1) {
+			size_t taglen;
+
 			if (!asn1_read_uint8(data, &b))
 				return false;
-			nesting->taglen = (nesting->taglen << 8) | b;
+
+			taglen = (nesting->taglen << 8) | b;
+
+			if ((taglen >> 8) != nesting->taglen) {
+				/* overflow */
+				data->has_error = true;
+				return false;
+			}
+			nesting->taglen = taglen;
+
 			n--;
 		}
 	} else {