From f60f7a62e259ec518c94c08b23ef0dce9d41083b Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 5 Feb 2016 12:58:45 -0800
Subject: [PATCH] asn1: Protect against overlong tag lengths

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 lib/util/asn1.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 9aa9772e013..dc7f679fa61 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -641,9 +641,20 @@ bool asn1_start_tag(struct asn1_data *data, uint8_t tag)
 			return false;
 		nesting->taglen = b;
 		while (n > 1) {
+			size_t taglen;
+
 			if (!asn1_read_uint8(data, &b))
 				return false;
-			nesting->taglen = (nesting->taglen << 8) | b;
+
+			taglen = (nesting->taglen << 8) | b;
+
+			if ((taglen >> 8) != nesting->taglen) {
+				/* overflow */
+				data->has_error = true;
+				return false;
+			}
+			nesting->taglen = taglen;
+
 			n--;
 		}
 	} else {
-- 
2.47.3