projects / platform / upstream / libtasn1.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e5c9129)
BACKPORT: asn1_find_node: added safety check on asn1_find_node() 18/134418/1 accepted/tizen/4.0/unified/20170816.011243 accepted/tizen/4.0/unified/20170828.222817 accepted/tizen/unified/20170620.174035 submit/tizen/20170616.143116 submit/tizen_4.0/20170811.094300 submit/tizen_4.0/20170828.100006
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Thu, 18 May 2017 16:03:34 +0000 (18:03 +0200)
committerRafal Krypa <r.krypa@samsung.com>
Fri, 16 Jun 2017 09:13:16 +0000 (11:13 +0200)
This prevents a stack overflow in asn1_find_node() which
is triggered by too long variable names in the definitions
files. That means that applications have to deliberately
pass a too long 'name' constant to asn1_write_value()
and friends.  Reported by Jakub Jirasek.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry-picked from upstream 5520704d075802df25ce4ffccc010ba1641bd484)

Change-Id: I893834c68ede90cd5953289a2c207c79e2971b51

lib/parser_aux.c patch | blob | history

diff --git a/lib/parser_aux.c b/lib/parser_aux.c
index 52700c6..16379af 100644 (file)
--- a/lib/parser_aux.c
+++ b/lib/parser_aux.c
@@ -120,6 +120,9 @@ asn1_find_node (asn1_node pointer, const char *name)
       if (n_end)
        {
          nsize = n_end - n_start;
+         if (nsize >= sizeof(n))
+               return NULL;
+
          memcpy (n, n_start, nsize);
          n[nsize] = 0;
          n_start = n_end;
@@ -158,6 +161,9 @@ asn1_find_node (asn1_node pointer, const char *name)
       if (n_end)
        {
          nsize = n_end - n_start;
+         if (nsize >= sizeof(n))
+               return NULL;
+
          memcpy (n, n_start, nsize);
          n[nsize] = 0;
          n_start = n_end;
Domain: Security / Utilities;