diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-14 22:38:25 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-01-14 22:38:25 +0100 |
| commit | 2a17d1fc9bdcbc97d48dd08a9fa4941da25187fd (patch) | |
| tree | fbf38336b7bab21dae11ba024d10eceaa8afb547 | |
| parent | b1003f7019827d4d2581cc447e293294a1d8e5ae (diff) | |
| download | busybox-w32-2a17d1fc9bdcbc97d48dd08a9fa4941da25187fd.tar.gz busybox-w32-2a17d1fc9bdcbc97d48dd08a9fa4941da25187fd.tar.bz2 busybox-w32-2a17d1fc9bdcbc97d48dd08a9fa4941da25187fd.zip | |
tls: DER length byte 0x81 is actually valid
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/tls.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/networking/tls.c b/networking/tls.c index 3b6347ecc..69c81b558 100644 --- a/networking/tls.c +++ b/networking/tls.c | |||
| @@ -348,7 +348,7 @@ static void get_server_hello_or_die(tls_state_t *tls) | |||
| 348 | 348 | ||
| 349 | static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end) | 349 | static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end) |
| 350 | { | 350 | { |
| 351 | unsigned len; | 351 | unsigned len, len1; |
| 352 | 352 | ||
| 353 | if (end - der < 2) | 353 | if (end - der < 2) |
| 354 | xfunc_die(); | 354 | xfunc_die(); |
| @@ -358,24 +358,29 @@ static unsigned get_der_len(uint8_t **bodyp, uint8_t *der, uint8_t *end) | |||
| 358 | len = der[1]; /* maybe it's short len */ | 358 | len = der[1]; /* maybe it's short len */ |
| 359 | if (len >= 0x80) { | 359 | if (len >= 0x80) { |
| 360 | /* no */ | 360 | /* no */ |
| 361 | if (len != 0x82) { | 361 | if (end - der < (int)(len - 0x7e)) /* need 3 or 4 bytes for 81, 82 */ |
| 362 | xfunc_die(); | ||
| 363 | |||
| 364 | len1 = der[2]; | ||
| 365 | if (len == 0x81) { | ||
| 366 | /* it's "ii 81 xx" */ | ||
| 367 | } else if (len == 0x82) { | ||
| 368 | /* it's "ii 82 xx yy" */ | ||
| 369 | len1 = 0x100*len1 + der[3]; | ||
| 370 | der += 1; /* skip [yy] */ | ||
| 371 | } else { | ||
| 362 | /* 0x80 is "0 bytes of len", invalid DER: must use short len if can */ | 372 | /* 0x80 is "0 bytes of len", invalid DER: must use short len if can */ |
| 363 | /* 0x81 is "1 byte of len", invalid DER */ | ||
| 364 | /* >0x82 is "3+ bytes of len", should not happen realistically */ | 373 | /* >0x82 is "3+ bytes of len", should not happen realistically */ |
| 365 | xfunc_die(); | 374 | xfunc_die(); |
| 366 | } | 375 | } |
| 367 | if (end - der < 4) | 376 | der += 1; /* skip [xx] */ |
| 368 | xfunc_die(); | 377 | len = len1; |
| 369 | /* it's "ii 82 xx yy" */ | ||
| 370 | len = 0x100*der[2] + der[3]; | ||
| 371 | // if (len < 0x80) | 378 | // if (len < 0x80) |
| 372 | // xfunc_die(); /* invalid DER: must use short len if can */ | 379 | // xfunc_die(); /* invalid DER: must use short len if can */ |
| 373 | |||
| 374 | der += 2; /* skip [code]+[82]+[2byte_len] */ | ||
| 375 | } | 380 | } |
| 376 | der += 2; /* skip [code]+[1byte_len] */ | 381 | der += 2; /* skip [code]+[1byte] */ |
| 377 | 382 | ||
| 378 | if (end - der < len) | 383 | if (end - der < (int)len) |
| 379 | xfunc_die(); | 384 | xfunc_die(); |
| 380 | *bodyp = der; | 385 | *bodyp = der; |
| 381 | 386 | ||