[git] KSBA - branch, master, updated. libksba-1.3.4-9-g89d8983
by Werner Koch
cvs at cvs.gnupg.org
Mon Aug 22 11:14:30 CEST 2016
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "KSBA is a library to access X.509 certificates and CMS data.".
The branch, master has been updated
via 89d898346b75337ec2546c672ea720c5c956b53a (commit)
from eb7833b8720cd0831c78d42e993ca878cecf27bc (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 89d898346b75337ec2546c672ea720c5c956b53a
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 22 10:47:59 2016 +0200
Limit allocation in the BER decoder to 16 MiB.
* src/ber-decoder.c (MAX_IMAGE_LENGTH): New.
(decoder_next): Limit allcoation to MAX_IMAGE_LENGTH.
(_ksba_ber_decoder_dump, _ksba_ber_decoder_decode): Ditto.
--
We allocate the image used to allocate BER encoded data from the
provided length in the object. However, this length may be given
arbitrary and we would thus try to allocate huge amounts of
memory (and zero them out since commit 2a9fc56) unless the user has
set an appropriate ulimit. This is not desirable and thus we better
bail out early if a strange (ie. very large object is seen).
That whole table driven parser is a mess.
Reported-by: Pascal Cuoq <cuoq 'at' trust-in-soft com>
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/src/ber-decoder.c b/src/ber-decoder.c
index dde73fd..20a91b1 100644
--- a/src/ber-decoder.c
+++ b/src/ber-decoder.c
@@ -42,6 +42,11 @@
#include "ber-help.h"
+/* The maximum length we allow for an image, that is for a BER encoded
+ * object. */
+#define MAX_IMAGE_LENGTH (16 * 1024 * 1024)
+
+
struct decoder_state_item_s {
AsnNode node;
int went_up;
@@ -867,6 +872,8 @@ decoder_next (BerDecoder d)
d->image.length = ti.length + 100;
if (d->image.length < ti.length)
return gpg_error (GPG_ERR_BAD_BER);
+ if (d->image.length > MAX_IMAGE_LENGTH)
+ return gpg_error (GPG_ERR_TOO_LARGE);
d->image.buf = xtrycalloc (1, d->image.length);
if (!d->image.buf)
return gpg_error (GPG_ERR_ENOMEM);
@@ -1111,9 +1118,12 @@ _ksba_ber_decoder_dump (BerDecoder d, FILE *fp)
if (!buf || buflen < d->val.length)
{
xfree (buf);
+ buf = NULL;
buflen = d->val.length + 100;
if (buflen < d->val.length)
err = gpg_error (GPG_ERR_BAD_BER); /* Overflow */
+ else if (buflen > MAX_IMAGE_LENGTH)
+ err = gpg_error (GPG_ERR_TOO_LARGE);
else
{
buf = xtrymalloc (buflen);
@@ -1247,9 +1257,12 @@ _ksba_ber_decoder_decode (BerDecoder d, const char *start_name,
if (!buf || buflen < d->val.length)
{
xfree (buf);
+ buf = NULL;
buflen = d->val.length + 100;
if (buflen < d->val.length)
err = gpg_error (GPG_ERR_BAD_BER);
+ else if (buflen > MAX_IMAGE_LENGTH)
+ err = gpg_error (GPG_ERR_TOO_LARGE);
else
{
buf = xtrymalloc (buflen);
-----------------------------------------------------------------------
Summary of changes:
src/ber-decoder.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
hooks/post-receive
--
KSBA is a library to access X.509 certificates and CMS data.
http://git.gnupg.org
More information about the Gnupg-commits
mailing list