21. [`--log.file-name-format`](#--logfile-name-format)
22. [`--output.roa`](#--outputroa)
23. [`--output.bgpsec`](#--outputbgpsec)
- 24. [`--configuration-file`](#--configuration-file)
- 25. [`rsync.program`](#rsyncprogram)
- 26. [`rsync.arguments-recursive`](#rsyncarguments-recursive)
- 27. [`rsync.arguments-flat`](#rsyncarguments-flat)
- 28. [`incidences`](#incidences)
+ 24. [`--asn1-decode-max-stack`](#--asn1-decode-max-stack)
+ 25. [`--configuration-file`](#--configuration-file)
+ 26. [`rsync.program`](#rsyncprogram)
+ 27. [`rsync.arguments-recursive`](#rsyncarguments-recursive)
+ 28. [`rsync.arguments-flat`](#rsyncarguments-flat)
+ 29. [`incidences`](#incidences)
## Syntax
If a value isn't specified, then the BGPsec Router Keys aren't printed.
+### `--asn1-decode-max-stack`
+
+- **Type:** Integer
+- **Availability:** `argv` and JSON
+- **Default:** 4096
+- **Range:** 1--[`UINT_MAX`](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html)
+
+ASN1 decoder max allowed stack size in bytes, utilized to avoid a stack overflow when a large nested ASN1 object is parsed.
+
+This check is merely a caution, since ASN1 decoding functions are recursive and might cause a stack overflow. So, this argument probably won't be necessary in most cases, since the RPKI ASN1 objects don't have nested objects that require too much stack allocation (for now).
+
### `--configuration-file`
- **Type:** String (Path to file)
"output": {
"roa": "/tmp/fort/roas.csv",
"bgpsec": "/tmp/fort/bgpsec.csv"
- }
+ },
+ "asn1-decode-max-stack": 4096
}
.B \-\-output.bgpsec=-
.RE
+.B \-\-asn1-decode-max-stack=\fIUNSIGNED_INTEGER\fR
+.RS 4
+ASN1 decoder max allowed stack size in bytes, utilized to avoid a stack
+overflow when a large nested ASN1 object is parsed.
+.P
+By default, it has a value of \fI4096\fR (4 kB).
+.RE
+.P
+
.SH EXAMPLES
.B fort \-t /tmp/tal \-r /tmp/repository \-\-server.port 9323
.RS 4
"output": {
"roa": "/tmp/fort/roas.csv",
"bgpsec": "/tmp/fort/bgpsec.csv"
- }
+ },
+ "asn1-decode-max-stack": 4096
}
.fi
.RE
#include <errno.h>
#include "common.h"
+#include "config.h"
#include "log.h"
#define COND_LOG(log, pr) (log ? pr : -EINVAL)
asn_TYPE_descriptor_t const *descriptor, void **result, bool log,
bool dec_as_der)
{
+ asn_codec_ctx_t s_codec_ctx;
asn_dec_rval_t rval;
int error;
*result = NULL;
+ s_codec_ctx.max_stack_size = config_get_asn1_decode_max_stack();
- /* TODO (next iteration) first argument is more or less important. */
- rval = ber_decode(0, descriptor, result, buffer, buffer_size);
+ rval = ber_decode(&s_codec_ctx, descriptor, result, buffer,
+ buffer_size);
if (rval.code != RC_OK) {
/* Must free partial object according to API contracts. */
ASN_STRUCT_FREE(*descriptor, *result);
/** File where the validated BGPsec certs will be stored */
char *bgpsec;
} output;
+
+ /* ASN1 decoder max stack size allowed */
+ unsigned int asn1_decode_max_stack;
};
static void print_usage(FILE *, bool);
.arg_doc = "<file>",
},
+ {
+ .id = 8000,
+ .name = "asn1-decode-max-stack",
+ .type = >_uint,
+ .offset = offsetof(struct rpki_config, asn1_decode_max_stack),
+ .doc = "ASN1 decoder max stack size, utilized to avoid a stack overflow on large nested ASN1 objects",
+ .min = 1,
+ .max = UINT_MAX,
+ },
+
{ 0 },
};
rpki_config.output.roa = NULL;
rpki_config.output.bgpsec = NULL;
+ rpki_config.asn1_decode_max_stack = 4096; /* 4kB */
+
return 0;
revert_recursive_array:
return rpki_config.output.bgpsec;
}
+unsigned int
+config_get_asn1_decode_max_stack(void)
+{
+ return rpki_config.asn1_decode_max_stack;
+}
+
void
free_rpki_config(void)
{
struct string_array const *config_get_rsync_args(bool);
char const *config_get_output_roa(void);
char const *config_get_output_bgpsec(void);
+unsigned int config_get_asn1_decode_max_stack(void);
/* Needed public by the JSON module */
void *get_rpki_config_field(struct option_field const *);
projects / thirdparty / FORT-validator.git / commitdiff
