File strongswan-4.x.x_asn1_length.patch of Package strongswan

diff -urN strongswan-4.2.16/src/libstrongswan/asn1/asn1.c strongswan-4.2.17/src/libstrongswan/asn1/asn1.c
--- strongswan-4.2.16/src/libstrongswan/asn1/asn1.c	2009-06-19 14:33:30.000000000 +0200
+++ strongswan-4.2.17/src/libstrongswan/asn1/asn1.c	2009-07-20 12:44:51.000000000 +0200
@@ -225,25 +225,32 @@
 	u_char n;
 	size_t len;
 	
-	/* advance from tag field on to length field */
-	blob->ptr++;
-	blob->len--;
-	
-	/* read first octet of length field */
-	n = *blob->ptr++;
-	blob->len--;
+	if (blob->len < 2)
+	{
+		DBG2("insufficient number of octets to parse ASN.1 length");
+		return ASN1_INVALID_LENGTH;
+	}
+	
+	/* read length field, skip tag and length */
+	n = blob->ptr[1];
+	*blob = chunk_skip(*blob, 2);
 	
 	if ((n & 0x80) == 0) 
-	{/* single length octet */
+	{	/* single length octet */
+		if (n > blob->len)
+		{
+			DBG2("length is larger than remaining blob size");
+			return ASN1_INVALID_LENGTH;
+		}
 		return n;
 	}
 	
 	/* composite length, determine number of length octets */
 	n &= 0x7f;
 	
-	if (n > blob->len)
+	if (n == 0 || n > blob->len)
 	{
-		DBG2("number of length octets is larger than ASN.1 object");
+		DBG2("number of length octets invalid");
 		return ASN1_INVALID_LENGTH;
 	}
 	
diff -urN strongswan-4.2.16/src/pluto/asn1.c strongswan-4.2.17/src/pluto/asn1.c
--- strongswan-4.2.16/src/pluto/asn1.c	2009-06-19 14:33:30.000000000 +0200
+++ strongswan-4.2.17/src/pluto/asn1.c	2009-07-20 12:46:13.000000000 +0200
@@ -153,6 +153,14 @@
     u_char n;
     size_t len;
 
+    if (blob->len < 2)
+    {
+	DBG(DBG_PARSING,
+	    DBG_log("insufficient number of octets to parse ASN.1 length")
+	)
+	return ASN1_INVALID_LENGTH;
+    }
+
     /* advance from tag field on to length field */
     blob->ptr++;
     blob->len--;
@@ -161,16 +169,25 @@
     n = *blob->ptr++;
     blob->len--;
 
-    if ((n & 0x80) == 0) /* single length octet */
+    if ((n & 0x80) == 0) 
+    {	/* single length octet */
+	if (n > blob->len)
+	{
+	    DBG(DBG_PARSING,
+		DBG_log("length is larger than remaining blob size")
+	    )
+	    return ASN1_INVALID_LENGTH;
+	}
 	return n;
+    }
 
     /* composite length, determine number of length octets */
     n &= 0x7f;
 
-    if (n > blob->len)
+    if (n == 0 || n > blob->len)
     {
 	DBG(DBG_PARSING,
-	    DBG_log("number of length octets is larger than ASN.1 object")
+	    DBG_log("number of length octets invalid")
 	)
 	return ASN1_INVALID_LENGTH;
     }
openSUSE Build Service is sponsored by