diff options
| author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-05-18 18:03:34 +0200 |
|---|---|---|
| committer | Rafal Krypa <r.krypa@samsung.com> | 2017-06-16 11:12:25 +0200 |
| commit | 01df4270ca419adbe024172b83bda659f41517d0 (patch) | |
| tree | c3070edbea59aa65ce86ffe4fd695131a278f068 | |
| parent | e5c912938e2958fbeb7ee01183f0bc4e33143ead (diff) | |
| download | libtasn1-01df4270ca419adbe024172b83bda659f41517d0.tar.gz libtasn1-01df4270ca419adbe024172b83bda659f41517d0.tar.bz2 libtasn1-01df4270ca419adbe024172b83bda659f41517d0.zip | |
BACKPORT: asn1_find_node: added safety check on asn1_find_node()submit/tizen_3.0/20170616.143140accepted/tizen/3.0/tv/20170630.081251accepted/tizen/3.0/mobile/20170630.081215accepted/tizen/3.0/ivi/20170630.081312accepted/tizen/3.0/common/20170630.141811accepted/tizen_3.0_ivi
This prevents a stack overflow in asn1_find_node() which
is triggered by too long variable names in the definitions
files. That means that applications have to deliberately
pass a too long 'name' constant to asn1_write_value()
and friends. Reported by Jakub Jirasek.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry-picked from upstream 5520704d075802df25ce4ffccc010ba1641bd484)
Change-Id: I0e895ea8317544ef2467061853854ff756ee6c9b
| -rw-r--r-- | lib/parser_aux.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/lib/parser_aux.c b/lib/parser_aux.c index 52700c6..16379af 100644 --- a/lib/parser_aux.c +++ b/lib/parser_aux.c @@ -120,6 +120,9 @@ asn1_find_node (asn1_node pointer, const char *name) if (n_end) { nsize = n_end - n_start; + if (nsize >= sizeof(n)) + return NULL; + memcpy (n, n_start, nsize); n[nsize] = 0; n_start = n_end; @@ -158,6 +161,9 @@ asn1_find_node (asn1_node pointer, const char *name) if (n_end) { nsize = n_end - n_start; + if (nsize >= sizeof(n)) + return NULL; + memcpy (n, n_start, nsize); n[nsize] = 0; n_start = n_end; |