[PATCH] Integer overflow in asn1_read_GeneralString
Stefan (metze) Metzmacher
metze at samba.org
Wed Feb 11 05:29:00 GMT 2004
Anthony Liguori wrote:
> Index: libsmb/asn1.c
> ===================================================================
> RCS file: /cvsroot/samba/source/libsmb/asn1.c,v
> retrieving revision 1.11.2.5
> diff -u -r1.11.2.5 asn1.c
> --- libsmb/asn1.c 23 Jul 2003 12:33:57 -0000 1.11.2.5
> +++ libsmb/asn1.c 11 Feb 2004 05:03:44 -0000
> @@ -365,6 +365,13 @@
> int len;
> if (!asn1_start_tag(data, ASN1_GENERAL_STRING)) return False;
> len = asn1_tag_remaining(data);
> +
> + // check for integer overflow
> + if ((len + 1) == 0) {
> + data->has_error = True;
> + return False;
> + }
> +
> *s = malloc(len+1);
> if (! *s) {
> data->has_error = True;
Anthony,
we should not use '//' comments, please use /* ... */ :-)
I don't know what asn1_tag_remaining() can return...
but what's about cheking ((len + 1) <= 0) instead of just == 0 ?
--
metze
Stefan Metzmacher <metze at samba.org> www.samba.org
More information about the samba-technical
mailing list