]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f78edbe) | patch
Be stricter about ASN.1 decoding 1129/head
authorDemi M. Obenour <demiobenour@gmail.com>
Sun, 25 Oct 2020 15:05:23 +0000 (11:05 -0400)
committerGreg Hudson <ghudson@mit.edu>
Mon, 9 Nov 2020 02:18:30 +0000 (21:18 -0500)
commitd9443a58cd364349b7d764f4e997f3af7d979a87
tree85b68eff1ee416739f0117b917b39e8207e60c1dtree
parentf78edbe30816f049e1360cb6e203fabfdf7b98dfcommit | diff
Be stricter about ASN.1 decoding

Remove support for BER indefinite-length encodings, which are not
valid in DER.  Enforce validity of digits in GeneralizedTime values.
Reject signed integer encodings large enough to possibly overflow
intmax_t, and use regular arithmetic to avoid the undefined behavior
of left-shifting a negative integer.  Reject trailing garbage in
explicitly-tagged single values.  Remove the unnecessary
KRB5_GENEROUS_LR_TYPE workaround; our KDC doesn't generate last-req
information, so the broken pre-2000 encoding behavior had no impact.

[ghudson@mit.edu: edited commit message]
src/lib/krb5/asn.1/README.asn1 diff | blob | blame | history
src/lib/krb5/asn.1/asn1_encode.c diff | blob | blame | history
src/lib/krb5/asn.1/asn1_encode.h diff | blob | blame | history
src/lib/krb5/asn.1/asn1_k_encode.c diff | blob | blame | history
src/lib/krb5/asn.1/krbasn1.h diff | blob | blame | history
src/lib/krb5/error_tables/asn1_err.et diff | blob | blame | history
src/tests/asn.1/krb5_decode_test.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git