[PATCH] Integer overflow in asn1_read_GeneralString

Anthony Liguori anthony at codemonkey.ws
Wed Feb 11 05:37:46 GMT 2004


Stefan (metze) Metzmacher wrote:

> Anthony,
>
> we should not use '//' comments, please use /* ... */ :-)

Sorry, to much C++ at Uni :-)

> I don't know what asn1_tag_remaining() can return...
> but what's about cheking ((len + 1) <= 0) instead of just == 0 ?
>
asn1_tag_remaining() returns the tag length (that gets passed on the 
wire) minus whatever position we've read so far.  The only case we must 
concern ourselves here is when tag length == 0xFFFFFFFF and ofs = 0 
since we're only adding by one (hence this is the only overflow case).  
Since len is an `int', checking for <= is dangerous since the above tag 
length is -1 and -1 is certainly less than zero (although technically 
still valid).  I considered changing the int->size_t universally in 
asn1.c but after the last int->size_t debate I figured I'd take the 
conservative approach :-)

Regards,
Anthony Liguori



More information about the samba-technical mailing list