[PATCH] Integer overflow in asn1_read_GeneralString
Anthony Liguori
anthony at codemonkey.ws
Wed Feb 11 05:37:46 GMT 2004
Stefan (metze) Metzmacher wrote:
> Anthony,
>
> we should not use '//' comments, please use /* ... */ :-)
Sorry, to much C++ at Uni :-)
> I don't know what asn1_tag_remaining() can return...
> but what's about cheking ((len + 1) <= 0) instead of just == 0 ?
>
asn1_tag_remaining() returns the tag length (that gets passed on the
wire) minus whatever position we've read so far. The only case we must
concern ourselves here is when tag length == 0xFFFFFFFF and ofs = 0
since we're only adding by one (hence this is the only overflow case).
Since len is an `int', checking for <= is dangerous since the above tag
length is -1 and -1 is certainly less than zero (although technically
still valid). I considered changing the int->size_t universally in
asn1.c but after the last int->size_t debate I figured I'd take the
conservative approach :-)
Regards,
Anthony Liguori
More information about the samba-technical
mailing list