From 7f7999bf62a2909a02c91df3194a58221ef505e1 Mon Sep 17 00:00:00 2001
From: doug <>
Date: Sat, 13 Jun 2015 08:46:00 +0000
Subject: Reject long-form tags in CBS_peek_asn1_tag.

Currently, CBS only handles short-form tags.

ok miod@ jsing@
---
 src/lib/libssl/bs_cbs.c         | 9 ++++++++-
 src/lib/libssl/src/ssl/bs_cbs.c | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/bs_cbs.c b/src/lib/libssl/bs_cbs.c
index 4c1bfa3288..c37f81dd60 100644
--- a/src/lib/libssl/bs_cbs.c
+++ b/src/lib/libssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bs_cbs.c,v 1.7 2015/04/29 02:11:09 doug Exp $	*/
+/*	$OpenBSD: bs_cbs.c,v 1.8 2015/06/13 08:46:00 doug Exp $	*/
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -314,6 +314,13 @@ CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value)
 	if (CBS_len(cbs) < 1)
 		return 0;
 
+	/*
+	 * Tag number 31 indicates the start of a long form number.
+	 * This is valid in ASN.1, but CBS only supports short form.
+	 */
+	if ((tag_value & 0x1f) == 0x1f)
+		return 0;
+
 	return CBS_data(cbs)[0] == tag_value;
 }
 
diff --git a/src/lib/libssl/src/ssl/bs_cbs.c b/src/lib/libssl/src/ssl/bs_cbs.c
index 4c1bfa3288..c37f81dd60 100644
--- a/src/lib/libssl/src/ssl/bs_cbs.c
+++ b/src/lib/libssl/src/ssl/bs_cbs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bs_cbs.c,v 1.7 2015/04/29 02:11:09 doug Exp $	*/
+/*	$OpenBSD: bs_cbs.c,v 1.8 2015/06/13 08:46:00 doug Exp $	*/
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -314,6 +314,13 @@ CBS_peek_asn1_tag(const CBS *cbs, unsigned tag_value)
 	if (CBS_len(cbs) < 1)
 		return 0;
 
+	/*
+	 * Tag number 31 indicates the start of a long form number.
+	 * This is valid in ASN.1, but CBS only supports short form.
+	 */
+	if ((tag_value & 0x1f) == 0x1f)
+		return 0;
+
 	return CBS_data(cbs)[0] == tag_value;
 }
 
-- 
cgit v1.2.3-55-g6feb