Reinstate the check for invalid length BIT STRINGS,
authorDr. Stephen Henson <steve@openssl.org>
Fri, 23 Aug 2002 00:02:11 +0000 (00:02 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 23 Aug 2002 00:02:11 +0000 (00:02 +0000)
which was effectively bypassed in the ASN1 changed.

crypto/asn1/a_bitstr.c
crypto/asn1/tasn_dec.c

index ed0bdfb..e0265f6 100644 (file)
@@ -120,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
        unsigned char *p,*s;
        int i;
 
+       if (len < 1)
+               {
+               i=ASN1_R_STRING_TOO_SHORT;
+               goto err;
+               }
+
        if ((a == NULL) || ((*a) == NULL))
                {
                if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
index 0fc1f42..f87c087 100644 (file)
@@ -913,10 +913,10 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *i
                        ctx->ptag = ptag;
                        ctx->hdrlen = p - q;
                        ctx->valid = 1;
-                       /* If definite length, length + header can't exceed total
-                        * amount of data available.
+                       /* If definite length, and no error, length +
+                        * header can't exceed total amount of data available. 
                         */
-                       if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                       if(!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
                                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
                                asn1_tlc_clear(ctx);
                                return 0;